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Preface 



This volume contains the proceedings of FroCoS 2000, the 3rd International 
Workshop on Frontiers of Combining Systems, held March 22-24, 2000, in Nancy, 
France. Like its predecessors organized in Munich (1996) and in Amsterdam 
(1998), FroCoS 2000 is intended to offer a common forum for research activities 
related to the combination and the integration of systems in the areas of logic, 
automated deduction, constraint solving, declarative programming, and artificial 
intelligence. 

There were 31 submissions of overall high quality, authored by researchers 
from countries including Australia, Brasil, Belgium, Chili, France, Germany, Ja- 
pan, Ireland, Italy, Portugal, Spain, Switzerland, The Netherlands, the United 
Kingdom, and the United States of America. All submissions were thoroughly 
evaluated on the basis of at least three referee reports, and an electronic program 
committee meeting was held through the Internet. The program committee selec- 
ted 14 research contributions. The topics covered by the selected papers include: 
combination of logics; combination of constraint solving techniques, combination 
of decision procedures; modular properties for theorem proving; combination of 
deduction systems and computer algebra; integration of decision procedures and 
other solving processes into constraint programming and deduction systems. 

We welcomed five invited lectures by Alexander Bockmayr on “Combining 
Logic and Optimization in Cutting Plane Theory”, Gilles Dowek on “Axioms 
vs. Rewrite Rules: From Completeness to Cut Elimination”, Klaus Schulz on 
“Why Combined Decision Problems Are Often Intractable”, Tomas Uribe on 
“Combinations of Theorem Proving and Model Checking” , and Richard Zippel 
on “Program Composition Techniques for Numerical PDE Codes” . Full papers 
of these lectures, except the last one, are also included in this volume. 

Many people and institutions have contributed to the realization of this con- 
ference. We would like to thank the members of the program committee and 
all the referees for their care and time in reviewing and selecting the submitted 
papers; the members of the organizing committee for their help in the practical 
organization of the conference; and all institutions that supported FroCoS 2000: 
CNRS, Communaute Urbaine du Grand Nancy, Conseil General de Meurthe et 
Moselle, Conseil Regional de Lorraine, France Telecom CNET, GDR ALP, INPL, 
INRIA, LORIA, Universite Henri-Poincare-Nancy 1, and Universite Nancy 2. 
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Abstract. Cutting planes were introduced in 1958 by Gomory in order 
to solve integer linear optimization problems. Since then, they have re- 
ceived a lot of interest, not only in mathematical optimization, but also 
in logic and complexity theory. In this paper, we present some recent 
results on cutting planes at the interface of logic and optimization. Main 
emphasis is on the length and the rank of cutting plane proofs based on 
the Gomory-Chvatal rounding principle. 



1 Introduction 

Cutting planes were introduced in a seminal paper of Gomory (1958) in order 
to solve linear optimization problems over the integer numbers. In mathematical 
optimization, cutting planes are used to tighten the linear programming relaxa- 
tion of an integer optimization problem. From the viewpoint of logic, a cutting 
plane is a linear inequality c T x < S derived from a system of linear inequalities 
Ax < b such that the implication Ax < b — > c T x < 5 is valid in the ring of 
integer numbers Z, but not in the field of real or rational numbers R resp. Q. 
Geometrically speaking, a cutting plane cuts off a part of the real solution set 
P of Ax < b , while leaving invariant the set S of integer solutions (see Fig. 1). 

Cutting plane principles developed in mathematical optimization have nice 
logical properties. They provide sound and complete inference systems for rea- 
soning with linear inequalities in integer variables. Any clause in propositional 
logic 



x\ V . . . V x m V y 1 V . . . V y k (1) 

can be translated into a clausal inequality 

Xi-\ 1- x m + (1 - j/i) H + (1 — 2/fe) > 1 or 

xi -i \- x m - 2/i - • • • - Vk > 1 - k. 

A clause set is satisfiable if and only if the corresponding system of clausal 
inequalities together with the bounds 0 < Xi,yj < 1 has an integer solution. 
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Fig. 1 . Cutting plane 



This shows that reasoning in propositional logic can be seen as a special case of 
reasoning with linear inequalities in integer variables. 

Looking at logical inference from an optimization perspective allows one to 
apply tools from algebra and geometry to study the complexity of a logical infe- 
rence problem, and to represent the set of all possible inferences in an algebraic 
way. This can be used to select one or more strongest inferences according to 
some quality measure, which leads to new algorithms for both satisfiability and 
optimization. 

The structure of this paper is as follows. In Sect. 2, we use inference rules 
to present some basic results on solving equations and inequalities over real or 
rational numbers. We also recall the complexity of the underlying algorithmic 
problems. In Sect. 3, we introduce cutting planes from the viewpoint of integer 
linear optimization. Then we focus on their logical properties and present a so- 
undness and completeness result for the corresponding inference system. Sect. 4 
is about the complexity of the elementary closure, which is obtained by adding 
to a linear inequality system all possible Gomory-Clrvatal cutting planes. Sect. 5 
contains a number of important results on the complexity of cutting plane pro- 
ofs in propositional logic. Finally, Sect. 6 presents logic-based cutting planes for 
extended clauses. 

The results presented in this paper are by no way exhaustive. We selected 
some recent results at the interface of logic and optimization that are particularly 
relevant for cutting plane theory. For a comprehensive treatment of optimization 
methods for logical inference, we refer the reader to the beautiful monograph 
(Chandru & Hooker 1999). 
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2 Linear Equations and Inequalities 

2.1 Linear Equations over Q or R 

Let F denote the field of real or rational numbers and consider a system of linear 
equations 



af x = pi 

'■ '■ <==$■ Ax = b , (3) 

a m X = Pm 

with vectors a\,...,a m € F", numbers Pi, . . . , P m £ F, a matrix A £ F mxn , and 
a vector b £ F m . Moreover, - T denotes transposition of a vector or a matrix. 

The basic inference principle to derive from this system a new equation c T x = 
S, with c £ F”, 5 S F, is taking a linear combination of the given equations. More 
precisely, we can multiply each equation aj x = pi by a number Ui £ F and add 
up the resulting equations Uiafx = UiPi, for i = 1, . . . ,m. In matrix notation, 
this can be expressed by the inference rule 

A zr* 

lln - C °" : [u?A)z = u?b S £ F ” (4) 

If Ax = b is solvable in F", the rule lin_com allows us to derive any implied 
equation c T x = 6. If Ax = b is not solvable, we can get the contradiction 0 = 1. 

Proposition 1. The system Ax = b is not solvable in F" if and only if there 
exists u £ F m such that u T A = 0 and u T b = 1. If Ax = b is solvable, an equation 
c T x = S is implied by Ax = b in F" if and only if there exists u £ F m such that 
u T A = c T and u T b = 5. 

The solution set of a single linear equation a T x = p defines a hyperplane 
in the n-dimensional affine space F". The solution set S of a system of linear 
equations Ax = b corresponds to an intersection of lryperplanes, i.e., an affine 
subspace. For x° £ S the set U = {x ~ x° \ x £ S'} defines a linear subspace 
of the n-dimensional vector space F”. If dim U = k, then U is generated by k 
linearly independent vectors x 1 , . . . ,x k £F n . 

Using Gaussian elimination, systems of linear equalities over the rational 
numbers can be solved in polynomial time. The basic idea of this algorithm is 
successive variable elimination by repeated application of rule lin_com. 



2.2 Linear Inequalities over Q or R 

Given a system of linear inequalities Ax < b,x £ F", the basic principle to 
derive a new inequality c T x < S is taking a non-negative linear combination of 
the given inequalities. Another possibility is weakening the right-hand side. We 
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capture this by the following two inference rules: 



nonneg_lin_com : 



Ax < b 

( u T A)x < u T b 



if 



weak_rhs : 



a T x < (3 



a T x < (3‘ 



7 if P < P 



u G F m 
u > 0 



( 5 ) 

( 6 ) 



Again there is a soundness and completeness result, which in the theory of linear 
optimization is known as Farkas’ Lemma. Any implied inequality of a solvable 
system can be obtained by one application of the rule nonneg_lin_com followed 
by one application of weak_rhs. 



Proposition 2 (Farkas’ Lemma). The system Ax < b has no solution ieF" 
if and only if there exists y G F m ,y > 0 such that y T A = 0 and y T b = —1. If 
Ax < b is solvable, then an inequality c T x < 5 is implied by Ax < b in F" if and 
only if there exists y G F m , y > 0 such that y T A = c and y T b < 5. 

The solution set of a linear inequality a T x < (3, a ^ 0, defines a half space 
in n-dimensional affine space F™, which will be denoted by ( a T x < (3). The 
solution set P of a system of linear inequalities Ax < b , i.e., an intersection of 
finitely many halfspaces, is called a polyhedron. The polyhedron P is rational if 
A G Q mxn and b G Q m . A bounded polyhedron is called a polytope. An inequality 
c T x < 6 is called valid for a polyhedron P if P C ( c T x < 5). A set F C P is 
called a face of P if there exists an inequality c T x < S valid for P such that 
F = P fl {x G P | c T x = 5}. A point v in P such that {w} is a face of P is called 
a vertex of P. A polyhedron is called pointed if it has a vertex. A non-empty 
polyhedron P = {x | Ax < b} is pointed if and only if A has full column rank. 
A facet of P is an inclusionwise maximal face F with 0 ^ F ^ P. Equivalently, 
a facet is a nonempty face of P of dimension clim(P) — 1. If a polyhedron P is 
full-dimensional then P has a representation P = {x G F" | Ax < 6} such that 
each inequality in the system Ax < b defines a facet of P and such that each 
facet of P is defined by exactly one of these inequalities. 

In addition to the outer description of a polyhedron as the solution set of 
a linear inequality system, there is also an inner description, which is based on 
vertices and extreme rays. A vector r G R" is called a ray of the polyhedron P if 
for each x G P the set a;+F>o -r is contained in P. A ray r of P is extreme if there 
do not exist two linearly independent rays r 1 ,r 2 of P such that r = |( r 1 + r 2 ). 
For each polyhedron P C F™ there exist finitely many points p 1 , . . . , p k in P 
and finitely many rays r 1 , . . . ,r l of P such that 

P = conv(p 1 , . . . ,p k ) + cone(r 1 , . . . ,r l ). (7) 



Here convfp 1 , ... ,p k ) = {Aip 1 H b A k p k | Ai, . . . , A fc > 0, Ai H b A fc = 1} 

denotes the convex hidl of p 1 , . . . ,p k , and cone(r 1 , ... , r l ) = {y\ r 1 H — • + yir 1 \ 
pi , . . . , m >0} the conic hull of r 1 , . . . ,r l . If the polyhedron P is pointed then 
the p l are the uniquely determined vertices of P, and the r J are representatives 
of the up to scalar multiplication uniquely determined extreme rays of P. This 
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yields a parametric description of the solution set of a system of linear inequa- 
lities. In particular, every polytope can be described as the convex hull of its 
vertices. 

For a long time, it was an open question whether there exists a polynomial 
algorithm for solving linear inequalities over the rational numbers. Only in 1979, 
Khachiyan showed that the ellipsoid method for nonlinear programming can be 
adapted to solve linear inequalities and linear programming problems in poly- 
nomial time. 

Theorem 1 (Khachiyan 79). The following problems are solvable in polyno- 
mial time: 

— Given a matrix A G Q mxn and a vector b £ Q m , decide whether Ax < b has 
a solution x £ Q n , and if so, find one. 

— Given a rational matrix A £ Q mxn an( j a ra n ona i vector b G Q m , decide 
whether Ax = b has a nonnegative solution x G Q n ,x > 0, and if so, find 
one. 

— (Linear programming problem) Given a matrix A G Q mxn and vectors b G 
Q m , c G Q n , decide whether max{c T a; | Ax < b, x G Q"} is infeasible, finite, 
or unbounded. If it is finite, find an optimal solution. If it is unbounded, find 
a feasible solution xq, and find a vector z G Q n with Az < 0 and c T z > 0. 



2.3 Linear Inequalities over Z 

The problems that we have considered so far can all be solved in polynomial 
time. In this section, we consider systems of linear inequalities over the integer 
numbers 



Ax <b,xG Z ra , (8) 

and, as a special case, systems of linear equations over the non-negative integer 
numbers Ax = b, x G N". The solution set of (8) may be infinite. However, there 
is again a finite parametric description. 

Theorem 2. Let P = {x G | Ax < 6}, with A G Z mx ™ and b G Z m , be a 
rational polyhedron and let S = P fl Z” be the set of integer points contained 
in P. Then there exist finitely many points p 1 , . . . ,p k in S and a finitely many 
rays r 1 , . . . , r l G Z” of P such that 

k l k 

S = {J2 w + E ^ I A;, Pj G N, E A,: = 1} (9) 

i — 1 j = 1 2=1 

The absolute value of all p 1 and r 7 can be bounded by (n + 1 )A, where A is the 
maximum absolute value of the subdeterminants of the matrix {A \ b). 

In particular, this theorem implies that if a system of linear inequalities 
has an integral solution, then it has one whose encoding length is polynomially 
bounded by the encoding length of the input {A \ b ). Therefore, we can conclude: 
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Theorem 3. The problem of deciding for a rational matrix A € Q mxn an d a 
rational vector b £ Q m whether the system of linear inequalities Ax < b has an 
integral solution x 6 Z™ is NP-complete. 

In contrast to the polynomial solvability of 2SAT, the problem stays NP-complete 
if we admit only two variables in each constraint (Lagarias 1985) . The following 
problems are also NP-complete: 

— Given A £ Q mxn , b £ Q m , does Ax = b have a nonnegative integral solution 
x £ Z n , x > 0 ? 

— Given A £ Q mxn , h g Q m i does Ax = b have a 0-1 solution x £ {0, 1}" ? 

— Given a £ Q n ,(3 £ Q, does a T x = (3 have a nonnegative integral solution 
x £ Z” , x > 0 ? 

— Given a £ Q", (3 £ <Q>, does a T x = (3 have a 0-1 solution x £ {0, 1}" ? 

— Knapsack problem: Given a,c £ Q n and f3, 6 £ Q, is there a 0-1 vector 
x £ {0, l} n with a T x < f3 and c T x >63 

While solving linear diophantine inequalities in general is NP-hard, a celebra- 
ted result of Lenstra (1983) states that this can be done in polynomial time, if 
the dimension n is fixed. Before Lenstra’s theorem was obtained, this was known 
only for the cases n = 1,2. 

Theorem 4 (Lenstra 83). For each fixed natural number n, there exists a 
polynomial algorithm which finds an integral solution x £ Z" of a given system 
Ax < b, A £ Q mxn ,6 g Q n in n variables, or decides that no such solution 
exists. 

3 Cutting Planes 

Consider the integer linear optimization problem 

ma x{c T x | Ax<b,x£ Z”}, A £ Z mxn , b £ Z m (10) 

An important consequence of Theorem 2 is that for a rational polyhedron P = 
{x £ R" | Ax < 6}, the convex hull conv(S') of the set of integer points S = 
P n Z™ in P is again a rational polyhedron. Therefore, in principle, the integer 
optimization problem (10) can be reduced to an ordinary linear optimization 
problem 



max{c T a: | x £ conv(S') C M ra } (11) 

over the rational polyhedron conv(S’). If (11) has a bounded optimal value, then 
it has an optimal solution, namely an extreme point of conv(S'), which is an 
optimal solution of (10). The objective value of (10) is unbounded from above if 
and only if the objective value of (11) is unbounded from above. 

If we had a linear inequality system Cx < d defining the polyhedron conv(S'), 
we could solve (11) with a polynomial linear programming algorithm. In general, 
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the polyhedron conv(S') will have exponentially many facets. Therefore, such a 
description cannot be obtained in polynomial time. However, in order to find an 
optimal solution of (10), an approximation of conv(S') might be sufficient. This 
idea leads to cutting plane algorithms for solving the integer linear optimization 
problem. We start with the linear programming relaxation P = {x G K™ | Ax < 
b} of the original problem. Then we add new inequalities which are satisfied by 
all points in S but which cut off at least one fractional vertex of P. These are 
called cutting planes (Fig. 1). This is repeated until an integer vertex is obtained, 
which belongs to the integer solution set S and maximizes c T x. 



3.1 Gomory-Chvatal Cutting Planes 

One basic inference rule for deriving cutting planes is the Gomory-Chvatal ro- 
unding principle: 

Rounding : — ~ ^ if a € Z n (12) 

a 1 x < \p\ 

If a G Z" is an integer vector, then for all integer vectors x G Z n , the left- 
hand side of the inequality a T x < (3 is an integer. Therefore, we do not loose 
any integer solution if we round down the right-hand side (3 to the next integer 
number \_(3\ . Geometrically, this means the following. Assume that the entries of 
a are relative prime integer numbers and that (3 is fractional. Then rounding /3 
means that we translate the lryperplane a T x = (3 until it meets an integer point. 
Given a system of linear inequalities Ax < b, a Gomory-Chvatal cutting plane is 
obtained by combining the rules Nonneg_lin_com and Rounding. 



rn Ax <b , f u > 0, 

P 1 u T Ax < [u T b\ u T A G Z" 



(13) 



A cutting plane proof of length l of an inequality c T x < S from Ax < b is a 
sequence of inequalities cfx < Si, .. . ,cfx<Si such that 



for each i = 1, 



GC_cp : 
. . , l, and 



Ax < b, cjx < S 1 , . . . , cj^x < Si - 1 
cj x < Si 



weak_rhs : 



cjx < Si 
c T x < S 



(14) 



(15) 



Gomory-Chvatal cutting planes provide a complete inference system for linear 
dioplrantine inequalities. 



Theorem 5 (Chvatal 73, Schrijver 80). Let P = {x G F” | Ax < b} be a 

non-empty polyhedron that is rational or bounded and let S = P Cl Z n . 

— If S ^ 0 and c T x < S is valid for S, then there is a cutting plane proof of 
c T x < 1 5 from Ax < b. 
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— If S = 0, then there is a cutting plane proof starting from Ax < b yielding 
the contradiction 0 < — 1. 

In the given form, the Gomory-Chvatal principle is not effective. It is not 
clear how to choose the weights in the non-negative linear combination of the gi- 
ven constraint matrix. However, several well-known inference rules are subsumed 
by the Gomory-Chvatal principle, see Section 6. The first cutting plane proce- 
dure for solving integer linear optimization problems was proposed by Gomory 
(1958). Here, the cutting planes are generated from a basic feasible solution in 
the Simplex algorithm. If v is a vertex of the polyhedron P such that the *-th 
component t’,; is fractional, then by a simple rounding operation one can obtain 
a valid inequality for P fl Z n that cuts off v. Gomory showed that by systema- 
tically adding these cuts, and using the dual simplex method with appropriate 
anticycling rules, one can obtain a finitely terminating cutting plane algorithm 
for general integer linear optimization problems. The practical performance of 
Gomory’s original algorithm is not good. However, recent work in computational 
integer programming has shown that Gomory’s cutting planes may be very use- 
ful when used in a branch-and-cut algorithm, see e.g. (Balas, Ceria, Cornuejols 
& Natraj 1996). 



3.2 Disjunctive Cutting Planes 

We briefly mention a second principle to derive cutting planes, which is based 
on disjunctive programming (Balas 1979, Slrerali & Shetty 1980). A disjunctive 
optimization problem is of the form 

max{c T x | \/ A h x < b h , x > 0} (16) 

h£H 



for H finite, A h £ Y mhXn , and b h £ F mh . The feasible set of the disjunctive 
optimization problem (16) is the union of the polyhedra P h = {x £ M" | A h x < 
b h , x > 0}, h £ H. Disjunctive cutting planes are obtained by applying the rule 



disj_cp : 



\/heH A h x <b h ,x> 0 
a T x < (3 



if 



Uh e F mh ,u h > 0, 
a T < ulA h , 
u%b h < /3, 



for all h £ H 



(17) 



We first take a non-negative linear combination of each disjunct and then wea- 
ken the left-hand and the right-hand side of all the inequalities obtained. The 
constraint x > 0 allows us to weaken also the left-hand side. The completeness 
of the disjunctive cutting plane principle was studied by several authors, see e.g. 
(Blair & Jeroslow 1978, Jeroslow 1977). To apply the inference rule disj_cp to 
integer programming problems, one may, e.g., consider disjunctions of the form 

Ax < b, x > 0 w Ax < b, x > 0 
Xj < d V Xj > d + 1, 



(18) 
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for some j £ {1, . . . ,n} and d £ Z. A very successful branch-and-cut algorithm 
for general linear 0-1 optimization, which is based on disjunctive cutting planes, 
is the lift-and-project method developed by Balas, Ceria & Cornuejols (1993, 
1996). 

4 The Elementary Closure 

The set of vectors satisfying all Gomory-Chvatal cutting planes for P is called 
the elementary closure P' of P. Thus, if P is defined by the system Ax < b , 
where A £ Z mxra and b £ Z m , then P' is defined as 

P' = p| (X t Ax < [X T b\). (19) 

AeRJo 

A T TeZ n 

A crucial observation made by Sclrrijver (1980) is that the weight-vectors A 
can be chosen such that 0 < A < 1. This holds because an inequality A T Ax < 
[X T b\ with A £ R> 0 and A T A £ Z n is implied by Ax < b and (A — [X\) T Ax < 
L(A — [AJ) T frJ, since 

A T Ax = (A — [AJ) T Aa; + |_AJ T Ax < [(A — L\I) T M + L^J T ^ = L^ T ^J- (20) 
Thus P' is of the form 

P' = p| (X t Ax < [X T b\). (21) 

0<A<1 

A T TeZ n 

An integer vector c £ Z” of the form c T = A T A, where 0 < A < 1, has infinity 
norm HcHoo < ||A T || 00 ||A|| 00 < ||A T || 00 . Therefore the elementary closure P' of 
a rational polyhedron is a rational polyhedron again, as observed by Sclrrijver 
(1980). 

Proposition 3 (Schrijver 80). If P is a rational polyhedron, then P' is a 
rational polyhedron. 

4.1 Complexity of the Elementary Closure 

An important question is, whether one can optimize in polynomial time over 
the elementary closure of a polyhedron. Grotsclrel, Lovasz & Schrijver (1988) 
have shown that the optimization problem over a polyhedron Q is equivalent to 
the separation problem for Q , which is defined as follows: Given some x, decide 
whether x is in Q and if x ^ Q, provide an inequality which is valid for Q but not 
for x. Equivalence means that there is a polynomial algorithm for optimization 
if and only if there is a polynomial algorithm for separation. 

Thus equivalent to the optimization over the elementary closure of P' is the 
separation problem over P' . A subproblem of the separation problem for P' is 
the membership problem for P' . It can be stated as: 
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Given A G Z mxn ,6 G Z m and a rational vector x G Q™, decide whether 
x is outside the elementary closure P' of the polyhedron P = {x G R" | 

Ax < b}. 

Here you are only faced with the decision problem of whether x is outside P' 
and not with the additional task of computing a separating hyperplane. Eisen- 
brand (1999) proved that the membership problem for the elementary closure 
of a polyhedron is NP-complete. In other words, it is NP-complete to decide 
whether there is an inference using rule GC_cp that separates the point x from 
P' . Therefore the optimization problem over P' is NP-lrard. 



4.2 The Elementary Closure in Fixed Dimension 

The upper bound of HA^loo on the number of inequalities defining P' is expo- 
nential in the size of the input P, even in fixed dimension. Integer programming 
in fixed dimension, however, is polynomial. Also, there is a structural result 
concerning the number of vertices of the integer hull of a polyhedron in fixed 
dimension. If P is defined by an integral system Ax < 6, then the number of 
vertices of Pj is polynomial in the encoding length size(P) of A and b in fixed 
dimension. This follows from a generalization of a result by Hayes & Larman 
(1983), see (Schrijver 1986). A tight upper bound was provided by Cook, Hart- 
mann, Kannan & McDiarmicl (1992). For the elementary closure a similar result 
holds. Bockmayr & Eisenbrand (1999) show that in fixed dimension only a po- 
lynomial number of inequalities is needed to describe P' . 

Theorem 6. The number of inequalities needed to describe the elementary clo- 
sure of a rational polyhedron P = {x G R" | Ax < b} with A G Z mx?l and 
b G Z m , is 0(m n size(P) ra ) in fixed dimension n. 

A simplicial cone is a polyhedron P = {x G R" | Ax < b}, where A G R” xn is 
a nonsingular matrix. If A is in addition an integral matrix with d = | det(A)|, 
then the cutting planes of the simplicial cone P are of the form 



p T A 

~d~ 



x < 




, where y, G {0, . . . , d} n , and y T A G ( d • Z) n . 



(22) 



Thus cutting planes of P are represented by integral points in the cutting plane 
polytope Q which is the set of all (/x, y, z) in R 2n+1 satisfying the inequalities 



/x > 0 
/x < d 

y T A = dy (23) 

(/x T 6) — d + 1 < dz 
(y T b) > dz. 

If (/x, y, z) is integral, then /x G {0, . . . , d} n , y G Z" enforces /. i T A G (d ■ Z) n 
and 2 is the only integer in the interval [( fi T b+ 1 — d)/d, y T b/d\. Bockmayr & 
Eisenbrand (1999) show that the facets of P' are represented by vertices of Qj. 
Theorem 6 then follows from triangulation. 
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4.3 Choosing Cutting Planes for Simplicial Cones 

In practice, Gomory-Chvatal cutting planes are normally used in a branch-and- 
cut framework. Therefore, one is faced with the problem of finding efficiently 
cutting planes that tighten the relaxation as much as possible. It would be most 
useful to cut with facets of the elementary closure of P' . However this is so far 
not possible. If P is a simplicial cone defined by Ax < b , then the vertices of 
the integer hull Qi of Q defined by (23) include the facets of P' . Bockmayr 
& Eisenbrand (1999) present a polynomial algorithm which computes cutting 
planes for a simplicial cone that correspond to vertices of Qi. These cutting 
planes can be used to separate A~ 1 b. 

Theorem 7. Let P = {x £ R™ | Ax < b} be a rational simplicial cone, where 
A £ Z" x ™ is of full rank, b € Z ra and d = |det(A)|. Then one can compute in 
0(nP) basic operations of Z d a vertex of Qi corresponding to a cutting plane 
(p/d) T Ax < [(fi/d) T b\ separating A~ x b with maximal possible amount of viola- 
tion r ma x /d. 

Here w is a constant such that n x n matrix multiplication can be carried 
out in 0(n w ). 



4.4 The Chvatal-Gomory Procedure 

The elementary-closure operation can be iterated. Let P ^ = P and pb +1 ) = 
(P«)', for i > 0. Then the Chvatal rank of P is the smallest number t such that 
p( 4 ) = Pj where Pi = con v(P n Z") is the integer hull of P. 

The rank of an inequality c T x < S is the smallest t such that c T x < 5 is valid 
for pW. The following theorem clarifies the relation between the rank and the 
length of a cutting plane proof. 

Theorem 8 (Chvatal, Cook and Hartmann 89). Let Ax < b, with A £ 
Z mxn and b £ Z m , have an integer solution, and let c T x < S have rank at most d 
relative to Ax < b. Then there is a cutting plane proof of c T x < S from Ax < b 
of length at most ( n d+1 — l)/(n — 1). 

Chvatal (1973) showed that every bounded polyhedron P C R" has finite 
rank. Schrijver (1980) extended this result to possibly unbounded, but rational 
polyhedra P = {x £ R n | Ax < b}, where A £ Q' mxn j b £ Q m . Both results 
are implicit in (Gomory 1958). Cook, Gerards, Schrijver & Tardos (1986) and 
Gerards (1990) proved that for every matrix A £ Z mxn there exists t £ N such 
that for all right-hand sides b £ Z m , the Chvatal rank of P b = { x £ R” | Ax < b} 
is bounded by t. 

Already in dimension 2, there exist rational polyhedra of arbitrarily large 
Chvatal rank (Chvatal 1973). To see this, consider the polytopes 

P k = conv{(0, 0), (0, l)(fc, |)}. 
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( 0 , 1 ) 

( 0 , 0 ) 




(fc. 



Fig. 2. 



One can show that Pk-i C P' k . For this, let c T x < 6 be valid for P % with <5 = 
max{c T x | x € Pfc}. If ci < 0, then the point (0, 0) or (0, 1) maximizes c T x, thus 
( c T x = 5) contains integral points. If ci > 0, then c T (fc, |) > c T (k — 1, |) + 1. 
Therefore the point (k — 1, |) is in the half space ( c T x < S — 1) C ( c T x < |_<5J). 
Unfortunately, the lower bound k is exponential in the encoding length of Pk 
which is O (log (&;)). 



4.5 Bounds on the Chvatal-Rank in the 0/1 Cube 

Of particular interest in propositional logic and combinatorial optimization, ho- 
wever, are polytopes in the 0/1 cube. Note that combinatorial optimization pro- 
blems can often be modeled as an integer program in 0/1-variables. 

Bockmayr, Eisenbrand, Hartmann & Schulz (1999) studied the Clrvatal rank 
of polytopes contained in the n-dimensional cube [0, 1]". They showed that the 
Clrvatal rank of a polytope P C [0, 1]" is 0(n 3 logn) and prove the linear upper 
and lower bound n for the case P (~l Z" = 0. The basic proof technique here 
is scaling. Each integral 0/1 polytope can be described by a system of integral 
inequalities Ax < b such that each absolute value of an entry in A is bounded 
by n"/ 2 , see e.g. (Padberg & Grotschel 1985). The sequence of integral vectors 
obtained from a T by dividing it by decreasing powers of 2 followed by rounding 
gives a better and better approximation of a T itself. One estimates the number 
of iterations of the Clrvatal-Gomory rounding procedure needed until the face 
given by some vector in the sequence contains integer points, using the fact that 
the face given by the previous vector in the sequence also contains integer points. 
Although the size of the vector is doubled every time, the number of iterations 
of the Clrvatal-Gomory rounding procedure in each step is at most quadratic. 

This 0(n 3 logn) upper bound was later improved by Eisenbrand & Schulz 
(1999) down to 0(?i 2 log?i). Lower bounds that are asymptotically larger than 
linear are not known. Eisenbrand & Schulz (1999) show that the case Pi = 0 and 
rank(P) = n can only be modeled with an exponential number of inequalities. 

Theorem 9. Let P C [0,1]" be a polytope in the 0/1 -cube with Pi = 0 and 
rank(P) = n. Any inequality description of P has at least 2" inequalities. 

This implies that an unsatisfiable set of clauses in n variables can only model a 
polytope of rank n, if the number of clauses is exponential in n. 
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5 Cutting Plane Proofs 

By using the translation of propositional clauses into clausal inequalities (cf. 
Sect. 1) cutting planes yield a proof system for propositional logic. It is easy to 
see that any resolvent of a set of propositional clauses can also be obtained as a 
Gomory-Chvatal cutting plane from the corresponding clausal inequalities and 
the bound inequalities 0 < Xi, yj < 1. 

Proposition 4. If the unsatisfiability of a set of clauses has a resolution proof 
of length l, then it has a cutting plane proof of the same length. 

Let Pig n be a set of clauses representing the pigeon hole problem “Place n+1 
pigeons into n holes” . Using a propositional variable Xij to indicate whether or 
not pigeon i is placed into hole j, Pig n is given by the clauses 

Xn V • • • V x in , for * = 1, . . . , n + 1 

Xi x j V Xi 2 j, for 1 < i\ < i 2 < n + 1, j = 1, . . . , n. 



Theorem 10 (Haken 85). There is no polynomial upper bound on the length 
of a shortest resolution proof of the unsatisfiability of Pig n . 



Proposition 5 (Cook, Coullard and Turan 87). The unsatisfiability of 
Pig n has a cutting plane proof of length 0(n 3 ). 

This shows that cutting planes are strictly more powerful than resolution. 
There exists a polynomial proof system for propositional logic if and only if NP 
= coNP. A longstanding open problem was to find a set of formulae for which 
there exist no polynomial cutting plane proofs. This was finally solved Pudlak 
in 1995. 

Theorem 11 (Pudlak 97). There exist unsatisfiable propositional formulae 
(p n , for which there is no polynomial upper bound on the length of a shortest 
cutting plane proof. 

Pudlak’s proof is based on an effective interpolation theorem that allows one 
to reduce the lower bound problem on the length of proofs to a lower bound 
problem on the size of some circuits that compute with real numbers and use 
non-decreasing functions as gates. Pudlak obtained an exponential lower bound 
for these circuits by generalizing Razborov’s lower bound for monotone Boolean 
circuits (Razborov 1985). Another exponential lower bound for monotone real 
circuits has been given independently by Haken & Cook (1999). 

The formulae ip n used in Pudlak’s proof express that a graph on n vertices 
contains a clique of size m and that it is (m— l)-colorable. We introduce variables 
Pij, 1 < i < j < n, to encode the graph, variables qki, 1 < k < m, 1 < i < n, to 
encode a one-to-one mapping from an m-element set into the vertex set of the 
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graph, and variables ru, 1 < i < n, 1 < l < m — 1, to encode an (m — l)-coloring 
of the graph. The inequalities are as follows: 

Yj'L\ 9ki > 1, for 1 < k < to 

J2T= i Iki <1, for 1 <i<n 

Ya=i r n > !> for 1 < i < n (25) 

Qki + Qk'j < 1 + Pij , for 1 < i < j < n, 1 < k ^ k' < m 

Pij + fu + rji < 2, for 1 < * < j < n, 1 < l < m — 1 

Pudlak shows that any cutting plane proof of 0 > 1 from these inequalities has 
at least 2 fi (("/ lo s ra ) 1/3 ) steps. 

There exist several other proof systems for linear 0-1 inequalities whose com- 
plexity has been investigated, see (Pudlak 1999) for an overview. 



6 Generalized Resolution 



Hooker (1988) and (1992) generalized resolution from propositional clauses to 
arbitrary linear 0-1 inequalities. Here, we present his method for the case of 
extended clauses. An extended clause is a linear 0-1 inequality of the form 

L\ + • • • + L m A d , (26) 

where d > 1 is a positive integer number and Lj, i = 1, . . » , m, is either a positive 
literal Xi or a negative literal Xi = 1 — Xi . The intuitive meaning of (26) is that 
at least d out of the m literals L, have to be true. Classical clauses or clausal 
inequalities correspond to the case d = 1. If Xi,i = 1 are the positive 
literals and Vj,j = 1, . . . , k, are the negative literals, then the extended clause 
(26) can also be written in the form 

X\ -\ \- xi- yi y k > d— k. (27) 

In many cases, extended clauses give a more compact representation of a set S C 
{0, 1}" than classical clauses. For example, the extended clause L\ + - ■ - + L m > d 
is equivalent to the conjunction A/c{i,... , m }:\i\=m-d+i E ie j G > 1 of ( m _™+i) 
classical clauses. 

A classical clause Li ~ I b L rn > 1 implies another clause L[ H b L' k > 1 

if and only if L = {L \, . . . , L m } CL'= [L \ , . . . , L' k }. A similar result holds for 
extended clauses. Abbreviate an extended clause L\ + ■ ■ ■ + L m > d by L > d 
and view L as a set of literals {L \, . . . , L m } of cardinality \L\ = m. Then L > d 
implies L' > d' if and only if \L\L'\ < d-d' . This means that the implication 
problem for extended clauses is easy, while for arbitrary linear 0-1 inequalities 




Combining Logic and Optimization in Cutting Plane Theory 



15 



it is coNP-complete. Generalized resolution is described by the inference rules: 



Impl_Ext_Cl : 




L' > d! 


if \L\L'\ < d 


— 


Resolution : 




Li + M > 1, Li + N > 1 






M + N > 1 






□ 


L 2 + • 




> 




Li 


□ +' 


• ' +im-l J~L m 


> 


Diagonal_Sum : 












Li 


+l 2 +■ 


• • +L m _ 1 | 


> 



L\ +L 2 + • • • +L m _i +L m > d + 1 



(28) 



Generalizing a classical result from Quine, Hooker (1992) showed that by apply- 
ing these rules one can compute all prime extended clauses for a set of extended 
clauses C. An extended clause L > d is prime for C if L > d is implied by C 
and if there is no other extended clause implied by C that implies L > d. A 
set of extended clauses is unsatisfiable if and only one can derive by generalized 
resolution the empty clause 0 > 1. Barth (1996) introduced simplifying resol- 
vents and diagonal sums and showed how these can be computed efficiently. He 
also devised an algorithm to compute for an arbitrary linear 0-1 inequality an 
equivalent set of extended clauses. (Bockmayr 1993, Bockmayr 1995, Barth & 
Bockmayr 1995, Barth & Bockmayr 1996) study logic-based and polyhedral 0-1 
constraint solving in the context of constraint logic programming. 
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Abstract. P. Van Hentenryck et al. have designed an efficient interval 
constraint solver combining box consistency and Gauss-Seidel iterati- 
ons, that is the core of Numerica. F. Benhamou et al. have shown that 
hull consistency may be faster and more accurate than box consistency. 
Their algorithm merges both consistency techniques taking care of the 
constraints’ expressions. This paper presents a new algorithm BC5 en- 
forcing hull consistency, box consistency and the interval Gauss-Seidel 
method. The main idea is to weaken the local contractions and to let the 
propagation operate between all elementary solvers in order to accelerate 
the computation while preserving the same precision. Algorithm BC5 is 
finally compared with the constraint solving algorithm of Numerica. 



1 Introduction 

Numerical constraints over continuous domains are involved in many applica- 
tions from robotics, chemistry, image synthesis, etc. Sets of constraints over 
continuous variables are called numeric constraint satisfaction problems (CSP). 
Constraint solving algorithms are of particular importance since they are often 
used by optimization or differentiation engines. Among them, branch and prune 
algorithms alternate domain pruning, enforcing local consistency techniques to 
remove from variables’ domains some inconsistent values w.r.t. constraints, and 
branching to search for the solutions. 

This paper focuses on pruning — filtering — algorithms enforcing local con- 
sistency techniques over numeric CSPs. Two consistency notions worth mentio- 
ning are hull [6] and box [5] consistency. The collective thought advised until 
recently that box consistency should be enforced over complex constraints and 
hull consistency over simple constraints (w.r.t. the length of constraints’ expres- 
sions and the number of occurrences of variables). In [4], it has been shown that 
both must be combined to gain in precision and time. In [29], box consistency 
has been used with the interval Gauss-Seidel method where the numeric CSP is 
linearized through a first order Taylor expansion. Their interaction is a form of 
coarse-grained cooperation since both solvers only alternate after the computa- 
tion of a fixed-point. Furthermore, constraint consistency techniques were shown 
to be more efficient when variables’ domains are large, though Gauss-Seidel me- 
thods are at their best when the domains are tight. Thus, it is a trivial idea to 
combine both in the previously mentioned ordering. 



H. Kirchner and C. Ringeissen (Eds.): FroCoS 2000, LNAI 1794, pp. 18-31, 2000. 
(c) Springer- Verlag Berlin Heidelberg 2000 
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This paper reviews the combination of constraint consistency techniques and 
Gauss-Seidel-based methods. Both algorithms presented in [29,4] are integrated 
in a new solver that takes advantage of their own characteristics. The main 
conclusions are the following: 

— an effective cooperation is needed between all solvers; in particular, the com- 
putation of a fixed-point of each solver leads to slow convergence phenomena, 
though the application of another solver before the fixed-point is reached may 
contract more the domains at a lower cost; 

— some knowledge of the solvers’ behavior is required for accelerating the who- 
le solving process; in particular some heuristics concerning their efficiencies 
w.r.t. the constraints’ expressions, the size of domains, etc. lead to fix a 
partial ordering on their applications, that avoids some unnecessary compu- 
tations. In other words, a pure concurrency or a coarse-grained cooperation 
are in general not efficient. 

The conclusions are confirmed by some experimental results on the set of all 
benchmarks we have collected (but only the more significant ones are reported). 
Different algorithms we have implemented are compared with the constraint 
solving algorithm of Numerica. The best one is from five to ten times faster on 
average. 

The rest of the paper is organized as follows: Section 2 introduces some 
materials from interval arithmetic and local consistency techniques. Section 3 
presents the novel algorithm. Experimental results are discussed in Section 4. 
Directions for future research are sketched in Section 5. 

2 Preliminary Notions 

This section reviews some efficient techniques from interval analysis and artificial 
intelligence for solving numerical constraints over continuous domains. 



2.1 Interval Arithmetic 

Interval arithmetic was designed by R.E. Moore [24] for computing roundoff error 
bounds of numerical computations. Real quantities are represented by intervals 
of real numbers enclosing them. 

Definition 1 (Interval). Given two real numbers a and b such that a ^ b, the 
set {x € K. | a ^ x ^ 6} is an interval denoted by [a, b] . 

Practical experiments are based on the set I of machine-representable inter- 
vals whose bounds are floating-point numbers. Given a relation p C R, Hull (p) 
denotes the intersection of all elements of I containing p. An interval is said 
canonical if it contains at most two floating-point numbers. The width of an 
interval [a, b] is the quantity b — a. 
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Interval arithmetic operations are set theoretic extensions of the real ones. 
They are usually implemented by floating point operations 1 over the bounds of 
intervals; for example: [a, 6] + [c, d] = [a + c,b + d\ and [a,b] — [c,d\ = [a — d,b — c\. 
Composition of operations defines a fast and reliable method for computing 
an outer approximation of the range of a continuous real function, also called 
interval evaluation of the function: for example, the range of /( x) = l + 2xx — x 
over [0,1] is necessarily included in [1,1] + [2,2] x [0,1] — [0,1] = [0,3]. This 
process corresponds to the evaluation of the interval function F(X ) = Hull({l}) + 
Hull({2}) x X — X called the natural interval extension of /. More generally, we 
have the following definition: 

Definition 2 (Interval extension). A function F : I" — > I is an interval 
extension of f : R™ ->Ki/ the range of f over I is included in F(I) for every 
I in the domain of f. 

2.2 Constraint Satisfaction 

In the following, a constraint is an atomic formula built from a real-based struc- 
ture (R, O, {=, <, ^}) — where O is a set of operations — and a set of real- valued 
variables. We denote by p c the relation associated with any constraint c (conside- 
ring the usual interpretation) . A numeric CSP is defined by a set of constraints 
and the interval vector I = (Ii,...,I n ) of variables’ domains. A solution of 
the CSP is an element of the Cartesian product I\ x • • • x I n — called a box — 
verifying all constraints. 

The limitations of machine arithmetic only permit the computation of appro- 
ximations — here, interval vectors — of the solutions. An approximate solution 
of the CSP is a vector J C I verifying all constraints. A vector J verifies an 
elementary constraint c of the form r (/,<?) if R (F(J),G(J)) holds 2 , where F 
(resp. G) is an interval extension of / (resp. g), and R is the interval symbol 
corresponding to r. Interval symbols are interpreted as follows: given / = [a, 6] 
and J = [a\ b'}, we have: 

/=Jif/nJy^0 / ^ J if a < [)' / ^ J if b > a' 

In other words, the constraint is verified if the terms’ interval evaluations are in 
the interval interpretation of the corresponding relation symbol. If J does not 
satisfy c, then the fundamental property of interval arithmetic [24] guarantees 
that it does not contain any solution of c. 

2.3 Constraint Narrowing and Propagation 

The process of solving a CSP is defined as the computation of precise (in the sense 
of domains’ widths) approximate solutions of all solutions. A generic branch and 

1 Results of operations are rounded towards the infinities on machines supporting 
IEEE binary floating-point arithmetic [16]. 

2 Constraints’ relation symbols considered in this paper are binary. 
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prune algorithm solves a CSP by iterating two steps: the pruning of domains 
while preserving the solution set; and the splitting of domains - branching step — 
to generate more precise sub-domains when some solutions cannot be separated. 
The pruning step is generally implemented by a filtering algorithm — constraint 
propagation process — that iteratively applies some elementary solvers associated 
with constraints, called constraint narrowing operators , until no domain can be 
further tightened (see [26,3,2] for more details). 

Definition 3 (Constraint narrowing operator). A constraint narrowing 
operator (CNO) for the constraint c is a contracting ( N(B ) C B) and monotonic 
( B C B' => N(B) C N(B')) function N verifying p c C\ B C N(B) for every 
boxes B, B' . 

In the framework of numeric CSPs, a CNO usually checks a consistency property 
of a set of variables’ domains with respect to a (local) set of constraints. This pa- 
per focuses on approximations of arc consistency over intervals, namely hull and 
box consistency (see [10] for a comparison of partial consistencies over intervals), 
verifying at a time the consistency of one interval domain with respect to one 
constraint of the CSP. These notions are defined as instances of 2B consistency 
proposed by O. Lhomme [18]. The main idea is to check only the consistency of 
the bounds of domains, that avoids the combinatorial explosion arising when all 
values are considered as in the discrete case. 

The standard filtering algorithm for 2B consistency — a variation of AC3 [19]— 
maintains a queue that verifies the following invariant: the domains are necessa- 
rily a fixed-point of every CNO not in that queue. If the queue becomes empty 
then a global fixed-point is reached, and if the product of domains becomes 
empty then the CSP’s inconsistency is established. 

Box Consistency and Related Algorithms 

Box consistency was defined by F. Benhamou et al. in [5]. 

Definition 4 (Box consistency). A constraint c is said box consistent w.r.t. 
a box I\ x • • • x I n and a given interval extension if and only if Ii = Hull ({r j £ 
Ii | (/i, . . . Hull({ri}),7 i+ i, ...,/„) satisfies c}) for all i € {1, . . . ,n}. 

Roughly speaking, c is box consistent if the canonical intervals at bounds of 
satisfy it. Consequently, a CNO implementing box consistency typically removes 
from the bounds of one domain some inconsistent canonical intervals. An efficient 
implementation operates a binary or ternary splitting of Ii for searching for the 
leftmost and rightmost consistent canonical intervals. Furthermore, all constant 
terms (that do not contain the i-tli variable) can be evaluated once before the 
search. Algorithm BC3revise [5] combines this process with an interval Newton 
method (an interval version of the real one). Algorithm BC3 [5] is the filtering 
algorithm derived from AC3 that applies CNOs implemented by some variations 
of BC3revise. 

In practice, it is often more efficient to stop propagation and narrowing pro- 
cesses before the computation of a fixed-point in BC3 and BC3revise, and to 
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apply another CNO or filtering algorithm. The precision of BC3revise is called 
here narrowing precision factor, that estimates the maximal distance between 
the output domain and the fixed-point domain (only some of the inconsistent 
canonical intervals may be removed). This idea has been proposed in [13] in 
order to speed-up BC3 by enforcing an algorithm weaker than BC3revise while 
preserving the same final precision (computation of box consistency). The preci- 
sion of BC3 is also influenced by the domain improvement factor that estimates 
the smallest width of domains’ contractions that may stop the propagation (in 
this case box consistency may not be computed). In practice, a good tuning of 
both precision parameters is a condition for efficiency. 



Hull Consistency and Related Algorithms 

Hull consistency originates from a paper of J.G. Cleary [9]. 

Definition 5 (Hull consistency). A constraint c is said hull consistent w.r.t. 
a box B if and only if B = Hull (p c D B). 

In other terms, a constraint is hull consistent if the domains cannot be stric- 
tly contracted without removing some elements of the associated relation. The 
different narrowing algorithms that enforce hull consistency are based on the 
inversion of constraints’ expressions. Algorithm HC3revise [9] takes as input a 
primitive constraint (in practice, a constraint having at most one operation 
symbol) though Algorithm HC4revise [4] operates on more general constraints. 
HC4revise is able to contract the domains of all variables occurring in any con- 
straint c by performing two traversals in the tree-structured representation of c. 
The main difference is that HC4revise is not idempotent (it has to be reinvoked 
for the computation of a fixed-point) unlike HC3revise. 

The computation of HC3revise for the constraint c : x + y = z and domains 
I x , I y , and I z , is as follows: 



Ix ^ Ix f! (I z Iy) 

Iy t Iy n (I z I x ) 

Iz 4— Iz C (Ix + Iy) 

Algorithm HC4 is the filtering algorithm derived from AC3 that applies CNOs 
implemented by HC4revise. The precision of domains returned by HC4 depends 
on the domain improvement factor as in BC3. 



2.4 Gauss-Seidel Method 

The interval Gauss-Seidel method is an algorithm for bounding the solution set 
of interval linear systems [14,1,25,15]. In the case of square systems (n variables, 
n constraints) of nonlinear equations F(X) = 0, the linear system is obtained 
through a first-order Taylor expansion around the center of variables’ domains. 
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Given an interval vector I, m(I) the midpoint of J, F'(I) an interval extension 3 
of the Jacobian matrix of F over J, Equation (1) holds: 

F(m(I)) + F'(I)(I — m(J)) = 0 (1) 

Let V = I — m(J) then Equation (1) becomes: 

F'(I)V = -F(m(I)) (2) 

E.R. Hansen [15] has shown that if F'{I ) is not diagonally dominant , it is more 
efficient to apply a preconditioning — multiplication by a matrix preserving the 
solution set — transforming Equation (2) into: 

PF'(I)V = -PF(m(/)) (3) 

where P a preconditioner — is the inverse of the real matrix of midpoints 
of F'(I). The resulting linear system AV = B (Equation (3)) is then solved 
through Gauss-Seidel iterations: the initial value of V is W = I — rn(J). For i 
taking the values from 1 to n, Vj is computed by the following formula, assuming 
that the value of An is different from 0 (otherwise V, ] is not modified): 

i— 1 n 

Vi = (. Bi - £ AijVj - 

j= 1 j=i + 1 

The resulting variables’ domains are then Jfl V + m(/). This process, commonly 
called multidimensional interval Newton method in the interval analysis commu- 
nity, can be seen as a non-idempotent filtering algorithm that may be applied 
on a square subpart of the initial CSP. 

E.R. Hansen has proposed to iterate some Gauss-Seidel-based algorithms 
until no sufficient domain modifications happen. In the framework of numeric 
CSPs, we argue that iterating Gauss-Seidel is less efficient than applying other 
(constraint) solving techniques that may contract the variables’ domains at a 
lower cost. 

3 Cooperative Algorithm 

We propose to design a new interval constraint solver combining two existing 
methods: box consistency combined with the Gauss-Seidel method [29], imple- 
mented in Numerica, and box consistency combined with hull consistency [4]. As 
the latter was shown to be more efficient than box consistency, the idea of com- 
bining both methods is immediate. Nevertheless, finding an efficient strategy is 
not so easy and needs an exhaustive experimental study. Heuristics must decide 
on: fine-grained integration of all methods or coarse-grained cooperation; orde- 
ring of application of methods; computation or not of a local fixed-point for each 
method; computation or not of a global fixed-point; tunings for the precision of 
CNOs and filtering algorithms in order to prevent slow convergences phenomena. 
The quality criterion will be the balance between pruning and computation time. 

3 Each coefficient (ij) of the matrix F'(I) is an outer approximation of the range of 
the partial derivative dfi/dxj. 




24 



L. Granvilliers 



3.1 Knowledge of Existing Methods 

The design of the new algorithm is based on the knowledge of existing methods 
we are aware of, summarized below: 

— The computation of hull consistency using HC4revise is fast since the contrac- 
tion of the domains of all variables in a constraint only needs two traversals 
in the constraint’s expression [4]. 

— Hull consistency is more precise than box consistency when variables occur 
once in constraints’ terms. Thus, BC3revise is only used in the case of variables 
occurring more than once [4]. 

— Gauss-Seidel is efficient when variables’ domains are tight [15], since the error 
term of the Taylor formula is bounded by the evaluation of the derivative 
over the whole domains. As a consequence, constraint processing techniques 
should beforehand contract the domains as much as possible [29]. 

— The computation of a fixed-point for box consistency may lead to slow con- 
vergence phenomena, though stopping before the fixed-point may lead to 
the generation of a huge number of sub-domains in a bisection algorithm. 
An algorithm presented in [13] enforces a weak box consistency and gra- 
dually increases the precision during the search of the fixed-point. Other 
narrowing/propagation strategies have been presented in [22]. 



3.2 Algorithm BC5 

Table 1 presents the filtering algorithm BC5 for contracting the domains of a 
numeric CSP. BC5 combines three filtering algorithms: HC4 processing all con- 
straints having some simple occurrences of variables; BC3 taking as input all 
constraints’ projections over variables with multiple occurrences in the asso- 
ciated constraints; and Gauss-Seidel iterations -procedure GS — applied on a 
square system resulting from the application of any formal method — algorithm 
SquareSystem (see [8] for some implementations of that procedure). Let remark 
that SquareSystem must generate a CSP that defines a superset of the set of 
solutions of the initial CSP. The ordering of application of these methods is 
motivated by both remarks that HC4 is faster (but eventually less precise) than 
BC3, and that tighter are the input domains (that may be obtained by enforcing 
consistency techniques), more precise are Gauss-Seidel iterations. 

Algorithm HC4 stops when there is no sufficient contraction of the domain 
of a variable occurring once in a constraint from C —the width of domain is re- 
duced by less than 10% (parameter 7 being the domain improvement factor) — 
since box consistency is supposed to be more precise for multiple occurrences of 
variables. BC3 stops when there is no sufficient contraction of any domain (para- 
meter 7). Moreover, BC3revise is parameterized by a narrowing precision factor 
(parameter ip) and does not use any (costly) Newton’s method. Consequently, 
no fixed-point of any filtering or narrowing algorithm is in general computed. 

The combination of HC4 with BC3 has led to the design of Algorithm BC4 
in [4], The combination of BC3 on the whole set of projections with Gauss- 
Seidel has been presented in [29]. Algorithm BC5 does more than combining 
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Table 1 . Filtering algorithm BC5. 

BC5 (in: (Ci, . . . ,C m }; inout: I = (7i, . . . , I n )) 
let 7 = 10 % be the domain improvement factor 
let ip = ICE 8 be the narrowing precision factor 

begin 

C <— {Ci | 1 ^ i ^ m, there exists a variable occurring once in Ci} 

V <— {( Ci,Xj ) | 1 ^ i ^ m, 1 ^ j ^ n, Xj occurs more than once in Ci} 

S <— SquareSystem({Ci, . . . , C m }, n ) 
ifC^0 

then HC4(C,7,7) % constraint processing with hull consistency 

endif 

if V ^ 0 and 1^0 

then BC3 (V,I, 7 ,y) % constraint processing with box consistency 

endif 

if 5^0 and 1^0 

then GS(i S,I) % Gauss-Seidel iterations 

endif 

end 



both methods since it is equivalent to HC4 combined with Gauss-Seidel if the 
set of projections V is empty, and to BC3 combined with Gauss-Seidel if the set 
of constraints C is empty. All these algorithms will be experimentally compared 
(see section 4). 

Finally, we argue that it is more efficient to bisect the domains before rein- 
voking BC5 for solving a numeric CSP with a finite set of solutions (typically 
defined by a square set of equations) . The implemented bisection strategy splits 
one domain in three equal parts. Domains to be bisected are chosen using a 
round-robin strategy [29] that is the more efficient on average. 

The problem of characterizing the output domains from BC5 is important. 
In [4], it has been shown that any fixed-point strategy that combines HC4 with 
BC3 computes box consistency. In [29] , the domains obtained from a fixed-point 
of Gauss-Seidel iterations have been shown to be box consistent with respect to 
the constraints’ Taylor extensions (one line of Equation (1)). As a consequence, 
if BC5 is iteratively applied given 7 = tp = 0, until no domain can be further 
tightened, then the output domains are box consistent with respect to a set of 
interval extensions of the input constraints. Nevertheless, the domains resulting 
from one application of BC5 are not in general box consistent. We have the 
following, expected, result: 

Proposition 1. Let ( C , I) be a CSP, and J = (Ji, , J n ) the interval vector 
resulting from the call o/BC5(C, I). Then, we have: 

- JCI, 

— Ji x • • • x J. n is a superset of the solution set of ( C , I) . 

Proof. Follows directly from the property that a composition of narrowing ope- 
rators defined from elementary constraints is still a narrowing operator for the 
conjunction of these constraints [2]. 
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4 Experimental Results 

Table 2 compares the computation times of several filtering algorithms embedded 
in a standard branch and prune bisection — algorithm that splits the domains 

(in three parts) if the desired precision of 1CU 8 is not reached. HC4+BC3 corre- 
sponds to BC5 when the Gauss-Seidel method is disconnected; BC3+GS to BC5 
when HC4 is disconnected and V is composed of all constraints’ projections; 
HC4+GS to BC5 when BC3 is disconnected and C is composed of all constraints. 
The last column contains the results from Numerica on the same machine (SUN 
Sparc Ultra 2/166MHz). The figures in the column labelled by v are the number 
of variables of the CSPs. Computation times exceeding one hour are replaced by 
a question mark. A blank space means that the data is not available (the results 
of Numerica are extracted from [30]). 

Benchmarks in Table 2, extracted from [30,31] and corresponding to challen- 
ging problems for the state-of-the-art computer algebra, continuation or interval 
methods, are classified in four categories with respect to the more efficient me- 
thod solving them: respectively box consistency combined with Gauss Seidel, 
hull consistency, and hull consistency combined with Gauss-Seidel; the last ones 
are easily solved by all methods. Moreover, problem Transistor is solved by em- 
bedding the filtering algorithms into a 3B consistency - based search process. 

The results are analyzed now: 

1. BC5 is the best algorithm on average. HC4+BC3 suffers from the impossibi- 
lity to remove some solutions that can be handled by Gauss-Seidel. BC3+GS 
is slow for simple occurrences of variables. HC4+GS may be imprecise for 
multiple occurrences of variables. Furthermore BC5 outperforms all other 
algorithms for problems Nbody and More-Cosnard composed of variables oc- 
curring once and twice in constraints (since HC4+BC3 is faster than BC3 and 
more precise than HC4). 

2. Hull consistency is always faster and more precise than box consistency in 
the case of simple occurrences of variables. The local search performed by 
BC3revise may be necessary in the case of multiple occurrences of variables, 
for example for problems Broyden-Banded and Chemistry. Surprisingly, hull 
consistency is more efficient than box consistency on some problems com- 
posed of multiple occurrences of variables as Kinematics 2, Rouiller Robot, etc. 
But unfortunately, this behavior cannot be anticipated. 

3. Gauss-Seidel is efficient when the domains are tight. It permits us to separate 
the solutions and then to avoid the generation of a huge number of parasite 
domains: this is the case for Nbody, Rose and all benchmarks from the third 
category (see the rather bad results in column HC4+BC3). 

4. HC4+GS is trivially faster than BC3+GS when CSPs only contain variables 
occurring once in constraints. This is the case for DC Circuit, Pentagon, Dessin 
d’Enfant 2, Kinematics 1, Neurophysiology, Transistor, II and 14. In this case, BC5 
is equivalent to HC4+GS. 

5. When hull consistency is combined with box consistency, HC4revise is stop- 
ped when no domain of a variable occurring once is contracted (since box 
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Table 2. Comparison of Filtering Algorithms (times in seconds). 



Benchmark 


V 


BC5 


HC4+BC3 


BC3+GS 


HC4+GS 


Numerica 


Nbody 


6 


341.40 


? 


764.70 


1185.00 




Rose 


3 


2.65 


? 


3.10 


15.70 




Broyden-Banded 


10 


0.10 


0.25 


0.10 


3.40 


0.50 




20 


0.25 


0.50 


0.25 


? 


1.70 




40 


0.50 


1.05 


0.50 


? 


4.00 




80 


1.10 


2.10 


1.10 


? 


9.20 




160 


2.20 


4.10 


2.20 


? 


30.00 




320 


4.75 


8.35 


4.75 


? 


151.80 




640 


9.85 


17.35 


10.25 


? 






1280 


20.75 


34.70 


21.10 


? 




Chemistry 


5 


0.35 


38.05 


0.50 


35.35 


1.10 


Caprasse 


4 


5.80 


25.10 


4.10 


5.00 




DC circuit 


10 


0.20 


0.15 


1.15 


0.20 




Pentagon One 


11 


0.05 


0.15 


0.15 


0.05 




Pentagon All 


11 


1.75 


6.00 


5.60 


1.75 




More-Cosnard 


10 


0.05 


0.15 


0.10 


0.10 


1.80 




20 


0.15 


0.40 


0.70 


0.40 


17.30 




40 


0.55 


1.70 


5.20 


1.45 


204.90 




80 


2.45 


6.95 


41.40 


6.40 




More-Cosnard Aux 


10 


0.20 


0.20 


0.25 


0.20 


0.40 




20 


0.60 


0.55 


0.70 


0.60 


1.30 




40 


2.45 


1.95 


2.90 


2.45 


7.40 




80 


13.75 


7.05 


14.20 


13.75 


51.80 




160 


96.10 


12.75 


96.60 


96.10 


397.00 


Dessin d’Enfant 1 


8 


1062.25 


? 


1486.55 


1047.50 




Transistor 


9 


444.80 


? 


1677.65 


444.80 


2359.80 


Seyfert Filter 


9 


378.70 


? 


1093.25 


328.85 




Noonburg Network 


5 


80.55 


? 


170.25 


80.55 




Bellido Kinematics 


9 


84.35 


? 


245.55 


81.55 




Rouiller Robot 


9 


66.50 


? 


121.90 


53.50 




Dessin d’Enfant 2 


10 


57.50 


? 


154.05 


57.50 




Neurophysiology 


8 


46.15 


178.95 


141.95 


46.15 


108.00 


Kinematics 2 


8 


25.05 


1175.20 


53.35 


19.20 


243.30 


Katsura Magnetism 


6 


7.40 


321.30 


14.75 


7.20 




Trinks 


6 


3.10 


37.00 


9.10 


3.00 




Wood function 


4 


2.50 


79.05 


6.60 


2.10 




Solotarev 


4 


1.40 


? 


3.40 


0.40 




Cyclohexane 


3 


1.05 


? 


1.05 


0.75 




Brown 


5 


0.85 


55.80 


3.35 


0.85 




Kinematics 1 


12 


0.75 


110.90 


2.00 


0.75 


7.20 


Wright 


5 


0.40 


1.65 


1.90 


0.40 




Bifu rcation 


3 


0.15 


0.55 


0.25 


2.55 




Combustion 


10 


0.00 


0.05 


0.10 


0.00 


0.00 


11 


10 


0.00 


0.00 


0.05 


0.00 


0.10 


14 


10 


13.65 


16.90 


23.50 


13.65 
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consistency is supposed to be more precise), and after the computation of 
a fixed-point when used alone. This is efficient for More-Cosnard: BC5 is two 
times faster than HC4+GS. Nevertheless, this is not always efficient, in par- 
ticular for Caprasse and Cyclohexane where the improvement ratio is inversed. 

6. More-Cosnard Aux problem is a counterexample to the concept of variable 
introduction proposed in [30] in order to share the common expressions bet- 
ween constraints. This process considerably increases the system’s dimen- 
sion (from n 2 to about 9n 2 ) that dramatically slows down Gauss-Seidel, 
that is of no need for solving the problem. This can be seen in Table 2 for 
More-Cosnard Aux with 160 variables: the cost of Gauss-Seidel is about seven 
times the cost of HC4+BC3. Furthermore, hull consistency is very efficient on 
the original More-Cosnard problem: the filtering process takes about 6s for 80 
variables, and 13s for More-Cosnard Aux. 

Nevertheless, variable introduction permits us to speed-up the solving of 
Kinematics 1 and Transistor (as is proposed in [30]) and the overcost of Gauss- 
Seidel is insignificant. 

7. The application of BC5 where V , C and S correspond to all datas from the 
CSP is not efficient since some unnecessary computations are performed. 

8. BC3+GS outperforms Numerica, that implements the same algorithms. We 
may identify two reasons: Numerica computes a fixed-point of BC3 and of 
Gauss-Seidel before bisection; and the implementation of BC3revise in our 
system does not use any Newton’s method and does not compute exact box 
consistency due to the nonzero narrowing precision factor. The improvement 
is remarkable for problem More-Cosnard since the cost of the interval Newton 
method grows according to the length of constraints’ expressions. 

5 Conclusion and Perspectives 

The solving time for numeric CSPs is improved through cooperation of narro- 
wing algorithms. Algorithm BC5 herein described makes cooperate algorithms 
enforcing hull consistency, box consistency, along with a Gauss-Seidel method 
to compute box consistency for a set of different interval extensions of some 
constraints. To date, four algorithms are devoted to the computation of box 
consistency, namely: BC3, the algorithm used by Numerica, BC4, and BC5. 

The research reported in this paper may be extended in many ways, some of 
which are described hereafter. First, the accuracy of narrowing algorithms may 
be improved through the use of several interval extensions for the considered 
constraints. Consequently, we plan to implement Bernstein and nested forms [28] 
for polynomial constraints, as well as centered forms like Taylor extensions of 
order k ^ 2 [20] . Therefrom, a challenging task is the isolation of heuristics to 
efficiently combine these extensions. 

High-order consistencies [18] are powerful but their implementation needs 
refinement. There is a room for improvement concerning the efficient combina- 
tion of bisections and interval tests for searching for zeros of conjunctions of 
constraints. Furthermore, choosing the right consistency level to be used for a 




Towards Cooperative Interval Narrowing 



29 



given CSP requires heuristics that still need to be devised. More generally, given 
(parts of) a CSP, a difficult task is to know the lowest consistency level that 
permits eventually reaching some given precision for the solutions. 

Gaps in variables’ domains could be handled as proposed in [15]. For exam- 
ple, consider Algorithm HC4 where union of intervals are computed, and then 
immediately connected into intervals for complexity reasons: some improvement 
could be obtained by keeping track of the information provided by the gaps, to 
be used during the bisection process; another idea [17] is to extract solutions 
from domains as soon as they are isolated during the narrowing process. 

Algorithm BC5 uses a basic strategy. Though the tuning of precision parame- 
ters thus allowed appears efficient, a clever strategy would probably be to merge 
computations from HC4 and BC3, then gradually decreasing the parameters’ va- 
lues. 

Two wider research themes to improve interval narrowing algorithms may 
also be identified: cooperation of linear/non-linear solvers [11,27], and coopera- 
tion of symbolic/numeric techniques [21,23,12], Achievements from these coope- 
rations are, for instance, the symbolic generation of redundant constraints (e.g. 
by means of Gaussian elimination, the Simplex algorithm, or Grobner bases), 
a first step towards our final goal: the processing of a CSP as a whole rather 
than by combining elementary computations from several constraints considered 
independently. 

Finally, we report two problems that we consider difficult since the solving 
time by BC5 is much long. The first one is a square, scalable to any arbitrary 
order n, system from Reimer appearing in [7]. The variables lie in the domain 
[ — 10 s , 10 8 ]. The equations of the system have the generic form: 



0.5 = ^(-1 ) j+1 x]~ i+2 1 < i < n 

3 = 1 



The second system, from C. Nielsen and B. Hodgkin — called here Dipole — and 
also described in [7], corresponds to the “ determination of magnitudes, direc- 
tions, and locations of two independent dipoles in a circular conducting region 
from boundary potential measurements ” . The variables are initially known to lie 
in [—10, 10]. The system is as follows: 



' 0.6325400 
-1.3453400 
-0.8365348 
1.7345334 
' 1.3523520 

-0.8434530 
-0.9563453 
1.2342523 



a + b 
c+ d 

ta + ub — vc — wd 
va + wb + tc + ud 

at 2 — av 2 — 2 ctv + bu 2 — bw 2 — 2 duw 

ct 2 — cv 2 + 2 atv + du 2 — dw 2 + 2 buw 

at 3 — 3atv 2 + cv 3 — 3cvt 2 + bu 3 — 3 buw 2 + dw 3 — 3 dwu 2 

ct 3 — 3 ctv 2 — av 3 + 3avt 2 + du 3 — 3 duw 2 — bw 3 + 3 bwu 2 



The solving of these problems will probably sound the knell of Algorithm BC5. 
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Abstract. In proof planning mathematical objects with theory-specific 
properties have to be constructed. More often than not, mere unification 
offers little support for this task. However, the integration of constraint 
solvers into proof planning can sometimes help solving this problem. 
We present such an integration and discover certain requirements to be 
met in order to integrate the constraint solver’s efficient activities in a 
way that is correct and sufficient for proof planning. We explain how 
the requirements can be met by n extension of the constraint solving 
technology and describe their implementation in the constraint solver 
CoSIS. 



In automated theorem proving, mathematical objects satisfying theory-spe- 
cific properties have to be constructed. More often than not, unification offers 
little support for this task and logic proofs, say of linear inequalities, can be 
very long and infeasible for purely logical theorem proving. This situation was 
a reason to develop theory reasoning approaches, e.g., in theory resolution [19], 
constrained resolution [6], and constraint logic programming [8] and to integrate 
linear arithmetic decision procedures into provers such as Nqthm [4] . Boyer and 
Moore, e.g., report how difficult such as integration may be. 

In knowledge-based proof planning [12] external reasoners can be integrated. 
In particular, a domain-specific constraint solver can help to construct mathe- 
matical objects that are elements of a specific domain. As long as these mathe- 
matical objects are still unknown during the proof planning process they are 
represented by place holders, also called problem variables. In [11] we described 
a first hand-tailored constraint solver Lineq that incrementally restricts the pos- 
sible object values. It checks for the inconsistency of constraints and thereby 
influences the search for a proof plan. 

This paper presents the integration of an extended standard constraint solver 
into proof planning and describes several generally necessary extensions of off- 
the-shelf constraint solvers for their correct use in proof planning. As a result 
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more theorems from three investigated mathematical areas (convergence of real- 
valued functions, convergent sequences, and continuous functions) can be proved 
by our proof planner. 

The paper is organized as follows: First we introduce knowledge-based proof 
planning as it is realized in the mathematical assistant system IOMEGA [3] and 
its concrete integration of constraint solving into proof planning. In section 2 we 
summarize the requirements that the integration into proof planning causes for 
constraint solving. In section 3, we discuss the essential extensions of constraint 
solving for proof planning. Finally, we illustrate the proof planning and parti- 
cularly CoSIS's work with a concrete proof planning example. In the following, 
A, <P, and \P denote sets of formulas. 

1 Integration of Constraint Solving into Proof Planning 

Proof planning, introduced by A. Bundy [5], differs from traditional search-based 
techniques by searching for appropriate proof steps at abstract levels and by a 
global guidance of the proof search. Knowledge-based proof planning [12] extends 
this idea by allowing for domain-specific operators and heuristics, by extending 
the means of heuristic guidance, and by integrating domain-specific external 
reasoning systems. 

Proof planning can be described as an application of classical Al-planning 
where the initial state consists of the two proof assumptions represented by 
sequents 1 and of the goal which is a sequent representing the theorem to be 
proved. For instance, for proving the theorem LIM+ which states that the limit 
of the sum of two real- valued functions / and g at a point a £ IR (a real number 
a) is the sum of their limits the initial planning state consists of the goal 

0 b lim f(x) + g(x) = L x + L 2 

x—±a 

and of the proof assumptions 



0 b lim f(x) = L\ and 

x—*a 

0 b lim g(x) = L 2 . 

x—>a 

After the expansion of the definiton of lim the resulting planning goal is 

x—>a 

0 I- Ve(e > 0 — >• 3<5(<5 > 0 A Vx((|a: — a| < (5 A i ^ a) A |(/(*) + g(x)) — (hi + L 2 )\ < e). 

Proof planning searches for a sequence of operators that transfers the initial state 
into a state with no open planning goals. The proof plan operators represent 
complex inferences that correspond to mathematical proof techniques. These 
operators are usually more abstract than the rules of the basic logic calculus. 
Thus, a proof of a theorem is planned at an abstract level and a plan is an outline 

1 A sequent ( A b F) consists of a set of formulas A (the hypotheses) and a formula 
F and means that F is derivable from A. 
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of the proof. This plan can be recursively expanded to the calculus-level where 
it can be checked for correctness by a proof checker. 2 

In the following, we briefly introduce knowledge-based proof planning as it 
is realized in the Iomega system. 

1.1 Proof Planning in IOMEGA 

The operators in 1?MEGA have a frame-like representation. As a first example 
for planning operators, we explain TellCS which plays an important role in the 
integration of constraint solving into proof planning: 



operator: TellCS (CS) 


premises 


LI 


conclusions 


0L2 


appl-cond 


is-constraint(c,CS) AND 
var-in(c) AND 
tell(L2, CS) 


proof schema 


Ll.Ai h C () 

L2. A, C h c (solveCS;Ll) 



TellCS has the constraint solver CS as a parameter. The application of 
TellCS works on goals c that are constraints. When TellCS is matched with 
the current planning state, c is bound to this goal. This is indicated by the con- 
clusion L2. The 0 in 0L2 indicates that the planning goal is removed from the 
planning state when TellCS is applied. The operator introduces no new subgoals 
because there are no (B-premises. An operator is applied only if the application 
condition, appl-cond, evaluates to true. The application condition of TellCS says 
that the operator is applicable, if the following conditions are fulfilled. Firstly, 
the open goal that is matched with the c in line L2 of TellCS has to be a con- 
straint, i.e., a formula of the constraint language of the constraint solver that 
instantiates CS. Secondly, the goal should contain at least one problem variable 
whose value is restricted by c. Last but not least, the constraint goal must be 
consistent with the constraints accumulated by CS so far. The latter is checked 
by tell(L2,CS) which evaluates to true, if CS does not find an inconsistency of 
the instantiated c with the constraints accumulated so far. The constraint solver 
is accessed via the tell function. 

The proof schema of TellCS contains a meta- variable C that is a place holder 
for the conjunction of all constraints accumulated (also called answer constraint). 
The instantiation of C is relevant for line L2 in the proof schema that suggests 
that the constraint can be logically derived from the yet unknown answer con- 
straint. 

The control mechanism of our proof planner prefers the operator TellCS, if the 
current planning goal is an inequality or an equation. 

2 The basic calculus of the Dmega system is natural deduction (ND) [17]. 
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Another planning operator is Existslntro 3 which eliminates an existential 
quantification in a planning goal: 



operator: Existslntro 


premises 


©LI 


conclusions 


©L2 


appl-cond 


M x :=new-meta-var(x) 


proof schema 


LI. A b <p[M x /x] (OPEN) 

L2. A h 3x.<fi (ExistsI;Ll) 



Existslntro closes an existentially quantified planning goal that matches L2 
by removing the quantifier and replacing the variable a; by a new problem varia- 
ble M x . The formula ip[M x /x\ is introduced as a new subgoal which is indicated 
by the (B-premise ®L1. The function new-meta-var in the application condition 
computes a new problem variable with the type of x. The proof schema is intro- 
duced into the partial proof plan when the operator is expanded. Existslntro 
is often applied iteratively for a number of quantifiers when normalizing a goal. 

Even if only one operator is applicable, there may be infinitely many branches 
at a choice point in proof planning. This problem occurs, for example, when 
existentially quantified variables have to be instantiated. In a complete proof 
x in 3x.ip has to be replaced by a term t, a witness for x. Since usually t is 
still unknown when Existslntro is applied, one solution would be to guess a 
witness for x and to backtrack in search, if no proof can be found with the chosen 
witness. This approach yields unmanageable search spaces. We have chosen the 
approach to introduce M x as a place-holder for the term t and to search for the 
instantiation of M x when all constraints on t are known only. 

Melis [10] motivates the use of domain-specific constraint solvers to find witn- 
esses for existentially quantified variables. The key idea is to delay the instan- 
tiations as long as possible and let the constraint solver incrementally restrict 
the admissible object values. 



1.2 The Integration 

Constraint solvers employ domain-specific data structures and algorithms. The 
constraint solver CoSIE , described later, is a propagation-based real-interval 
solver. It is integrated as a mathematical service into the distributed architecture 
of the Cmega system. 

Fig. 1 schematically depicts the interface between the proof planner of J?MEGA 
and our constraint solver. The constraint solver can be accessed directly by the 
proof planner and by interface functions that are called in the application con- 
ditions of certain planning operators. The proof planner’s application of the 

3 Existslntro encapsulates the ND-calculus rule ExistsI which is the rule 
where t is an arbitrary term. 
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Fig. 1 . Interface between constraint solving and proof planning. 



operator InitializeCS initializes the constraint solver at the beginning of each 
planning process. During proof planning the main interface is provided via the 
planning operators TellCS and AskCS. TellCS sends new constraints to the 
solver by calling the tell function and AskCS tests entailment of constraints 
from the constraints collected so far by calling the ask function. At the end of 
the planning process, the proof planner directly calls the constraint solver to 
compute an answer constraint formula and to search for witnesses for problem 
variables. 

A constraint solver can help to reduce the search during planning because it 
checks the validity of the application conditions of certain operators by checking 
for the inconsistency of constraints. When such an inconsistency is detected, the 
proof planner backtracks rather than continuing the search at that point in the 
search space. 

2 Requirements of Constraint Solving in Proof Planning 

For an appropriate integration of constraint solving into proof planning, several 
requirements have to be satisfied. The most relevant ones are discussed in the 
following. 

1. Proof planning needs to process constraints containing terms, e.g., E\ < 
e/(2.0 * M). These terms may contain names of elements of a certain domain 
(e.g., 2.0) as well as variables (e.g., M,E \ ) and symbolic constants (e.g., e). So, 
as opposed to systems for variables constrained by purely numeric terms, the 
constraint representation and inference needs to include non-numeric (we say 
“symbolic”) terms in order to be appropriate for proof planning. 

In the following, we always use the notion “numeric” to indicate that a certain 
value or inference is related to a certain domain, although this domain does not 
necessarily have to contain natural, rational, or real numbers. 

2. Since in the planning process not every variable occurs in the sequents of 
the initial state, the set of problem variables may be growing. In particular, proof 
planning operators may produce new auxiliary variables that are not contained in 
the original problem. Moreover, the set of constraints is incrementally growing 
and typically reaches a stable state at the end of the planning process only. 
Therefore, dynamic constraint solving [14] is needed. 
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3. Since backtracking is possible in proof planning constraints that have al- 
ready been added to the constraint store may be withdrawn again. 

4. In proof planning a constraint occurs in a sequent (A b c) that consists 
of a set A of hypotheses and the actual constraint formula c. The hypotheses 
provide the context of a constraint and must be taken into account while ac- 
cumulating constraints, in computing the answer constraint, and in the search 
for instantiations of problem variables. Therefore, we refer to a sequent A h c 
as a constraint in the rest of this paper. Importantly, certain problem variables, 
called shared variables, occur in different - possibly contradicting - contexts. For 
instance, the new contexts AU{X = a } and A\J{X ^ a] result from introducing 
a case split (I = aVl/o) into a proof plan, where A is the set of hypotheses 
in the preceding plan step. When a new constraint A U {X = a} b c is processed 
in the X = a branch of the proof plan, its consistency has to be checked with 
respect to all constraints with a context ( I> which is a subset of A U {X = a}. 

5. In order to yield a logically correct ND-proof when the operators are 
expanded, those constants that are introduced by the ND-rules VI and 3E 4 
have to satisfy the E igenvariable condition, i.e., they must not occur in other 
formulas beforehand. That is, they must not occur in witnesses that will be 
instantiated for place holders in the formulas. This condition must be satisfied 
by the search for witnesses of problem variables. 



3 Constraint Solving for Proof Planning 

Many off-the-shelf constraint solvers are designed to tackle combinatorial (op- 
timization) problems. For them all problem variables are introduced at the be- 
ginning and the solver submits the problem to a monolithic search engine that 
tries to find a solution without any interference from outside. 

An established model for (propagation-based) constraint solving [18] involves 
numeric constraint inference over a constraint store holding so-called basic con- 
straints over a domain as, for example, the domain of integers, sets of integers, 
or real numbers. A basic constraint is of the form X = v ( X is bound to a value 
v of the domain), X = Y (A is equated to another variable Y), or X £ B ( X 
takes its value in B, where B is an approximation of a value of the respective 
domain). Attached to the constraint store are non-basic constraints. Non-basic 
constraints, as for example “X + Y = Z ” over integers or real numbers, are more 
expressive than basic constraints and, hence, require more computational effort. 
A non-basic constraint is realized by a computational agent, a propagator, obser- 
ving the basic constraints of its parameters which are variables in the constraint 
store (in the example X, Y, and Z). The purpose of a propagator is to infer new 
basic constraints for its parameters and add them to the store. That happens 
until no further basic constraints can be inferred and written to the store, i.e., 
until a fix-point is reached. Inference can be resumed by adding new constraints 

4 these are the rules Vl^pvy^v and 3E /4h3a! ' F , where a must not occur 

in any formula in A U {F, G}. 
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either basic or non-basic. A propagator terminates if it is either inconsistent 
with the constraint store or explicitly represented by the basic constraints in the 
store, i.e., entailed by the store. 

The common functionalities of these constraint solvers are consistency check, 
entailment check, reflection, and search for instantiations. (In) consistency check 
includes the propagation of constraints combined with the actual consistency 
algorithm, e.g., with arc-consistency AC3 [9]. 

No previous solver satisfies all the above mentioned requirements and the- 
refore we developed an extended constraint solver that can be safely integrated 
into proof planning. In the following, we describe the extensions of this solver 
and the implementation of these extensions. 

3.1 Extensions of Constraint Solving 

In order to meet requirement 1, a symbiosis of numeric inference techniques as 
well as domain specific term rewriting rules are needed. To meet the requirements 
2,3, and 4, we introduce so called context trees which store constraints wrt. their 
context and enable an efficient test for subset relations between contexts. The 
context tree is also used to compute a logically correct answer constraint formula 
and to build the initial constraint store for the search for witnesses. 

Constraint Inference. We employ two different kinds of constraint inference in 
order to detect inconsistencies as fast as possible and to symbolically solve and 
simplify symbolic constraints. One algorithm efficiently tests a set of constraints 
for inconsistencies by inspecting and handling the numeric bounds of variables. 
We refer to this algorithm as numeric inference. Another algorithm for symbo- 
lic inference uses term rewrite rules to simplify the symbolic representation of 
constraints and constraint simplification rules to transform a set of constraints 
into a satisfiability equivalent one which is in a unique solved form. 

A typical constraint solver for (in) equalities in in real numbers IR that re- 
presents constraints by numerical lower and upper bounds has to be extended 
because otherwise in some cases unique bounds cannot be determined. For exam- 
ple, if a problem variable D has two upper bounds, <5i and 62 which are symbolic 
constants. These bounds cannot be replaced by a unique upper bound unless a 
functions min is employed. Constraint simplification rules help to determine and 
to reduce the sets of upper (lower) bounds of a problem variable and to detect 
inconsistencies which cannot be found efficiently by purely numeric inference. 
For instance, the constraint X <Y + Z A Y + Z < W A W < X is obviously 
inconsistent, but numeric inference cannot detect this inconsistency efficiently. 
This requires a constraint representation that can be handled by numeric and 
symbolic inference. The extension of a constraint solver needs to integrate both 
inference mechanisms into a single solver and benefit from the results of the 
respective other inference. 

Context Trees. Context trees consist of nodes, the context nodes. Each such 
node N,p consists of a set <P of hypotheses (the context) and a set S& = {c | A b 
c is constraint and A C <£}. 
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A context tree is a conjunctive tree representing the conjunction of all con- 
straints stored in the nodes. Fig. 2 shows the structure of such a context tree. 

{} o 




Fig. 2. A Context Tree with node annotations. A and 0 are sets of formulas, ip, 6, and 
£ are formulas. A, ip stands for A U {<£>}• 



The root node is annotated with the empty context { }. A directed edge from a 
node N a to a child N# implies A C A subtree T$ of a context tree consists 
of all nodes with a context W for which C if - holds. 

A new constraint (Abe) must be consistent with the constraint sets S& with 
A C <P. The constraint solver has to check for consistency with the sets S$ in 
the leaf nodes only because the sets of constraints grow from the root node to 
the leaves. In other words A C & implies Sa C S&. If an inconsistency occurs in 
at least one leaf, the constraint (A b c) is not accepted by the constraint solver. 
Otherwise, c is added to all sets S& in the subtree Ta- If the subtree Ta is the 
empty tree, i.e., the context A is new to the constraint solver, new nodes Na 
are created and inserted into the context tree as shown in Fig. 2. This operation 
preserves the subset relations in the context tree. 

When a constraint (A b c) has to be withdrawn because of backtracking in 
the proof planning, c is simply removed from all nodes in the subtree Ta ■ Empty 
context nodes are removed from the tree. 

The Answer Constraint. At the end of the planning process, the constraint solver 
uses the structure of the context tree to compute the answer constraint formula. 
Let A \, . . . , A n be the contexts of all nodes in the context tree and C ±, . . . , C„ be 
the conjunctions of all formulas which are new in S a, , ■ ■ ■ , Sa„ respectively, i.e., 
Ci '■= Sai — {c | c £ Sa with Aj C A,}. Then the answer constraint formula is 

A »(A* -> Ci). 

Search for Witnesses. Since the context tree is a conjunctive tree witnesses of 
the problem variables have to satisfy all constraints in the context tree if the 
respective context is satisfied. The constraint solver searches for a solution for 
each problem variable which satisfies all constraints. In particular, the search 
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for witnesses of shared variables which occur in different contexts has to take 
into account all constraints of these variables. Therefore, the constraint solver 
creates a single set with all constraints from the leaf nodes at the beginning of 
the search process 

The search algorithm uses numeric inference and term rewriting to compute 
an interval constraint max(L) < X < min(U) for every problem variable X, 
where L(U ) is a list whose first element is the numeric lower(upper) bound 
l(u) and the rest of L(U) consists of the symbolic lower(upper) bounds. An 
element is dropped from a bound list as soon as it is found to be not maximal 
(minimal). Eventually, the maximal lower bound max(L) and the minimal upper 
bound min(U) are used to compute a witness for X. The search algorithm must 
not compute witnesses which contain Eigenvariables of the respective problem 
variable. 



3.2 Implementation 

This section describes the constraint solver CoSIE (Constraint iSolver for Inequa- 
lities and Equations over the field of real numbers). The constraint language of 
CoSIE consists of arithmetic (in)equality constraints over the real numbers, i.e., 
constraints with one of the relations <,<,=,>, and >. Terms in formulas of this 
language are built from real numbers, symbolic constants and variables, and the 
function symbols /, min, and max. Terms may also contain ground alien 

terms, i.e. ground terms which contain function symbols unknown to CoSIE, 
i.e., alien. For instance, \f'(a)\ is a ground alien term containing the two func- 
tion symbols |.| and /'. CoSIE handles these alien terms by variable abstraction, 
i.e., for constraint inference these terms are replaced by variables and later on 
instantiated again. 

CoSIE is implemented in the concurrent constraint logic programming lan- 
guage Mozart Oz [16]. CoSIE builds a context tree whose nodes are computa- 
tion spaces annotated with contexts. A computation space is a Mozart Oz data 
structure that encapsulates data, e.g., constraints, and any kind of computation 
including constraint inference. After constraint inference has reached a fix-point, 
a computation space may have various states: the constraints are inconsistent, 
all propagators vanished since they are represented by the basic constraints in 
the constraint store, or the space contains disjunctions, i.e., constraint inference 
will proceed in different directions. 

When a new constraint (A h c) is sent to the solver by TellCS, it has to 
be added to certain computation spaces in the context tree. Therefore, a new 
computation space s c containing c only is created and merged with all compu- 
tation spaces in the leaf nodes of the subtree T/±. In each of these computation 
spaces, the symbolic inference procedure tries to simplify constraints and detect 
non-trivial inconsistencies. Propagation, i.e. numeric inference, is triggered by 
the symbolic inference procedure as described in the next paragraph. When a 
fix-point is reached in numeric and symbolic inference, the resulting computation 
spaces are asked for their state to detect inconsistencies. If no inconsistency is 
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detected c is inserted into every computation space of the subtree T \ by merging 
with the space s c . 




symbolic inference 



numeric inference 



Fig. 3. Combining symbolic and numeric inference. 



Symbolic and Numeric Constraint Inference. In CoSZE , numeric inference is 
based on the off-the-shelf Real-Interval (RI-) module coming with the Mozart 
Oz system. The Rl-module provides Rl-variables (constraint variables attributed 
with intervals of real numbers). As an extension, now the Rl-module provides 
first-class propagators for all relations and functions from CoSZS's constraint 
language. Because of being a first-class data structure these propagators can be 
inspected, started, and terminated, e.g., by the symbolic inference procedure and 
at the same time work on the constraint store in the usual way. 

The symbiosis of symbolic and numeric inference is based on a shared re- 
presentation of constraints and by the first-class propagators. Every variable 
and every symbolic constant occurring in a constraint processed by CoSZS is 
connected to a corresponding Rl-variable. The relations and non-alien functions 
of a constraint are connected to the first-class propagator of those relations and 
functions of the Rl-module. 

Fig. 3 illustrates the combination of symbolic and numeric inference. It shows 
CoSZS's connections of the constraint 1 < X AX <Y AX + Y = Z to the first- 
class propagators for < and + and to the RI- variables for X, Y, and Z in the 
constraint store. 

The symbolic inference procedure applies (conditional) rewrite rules and con- 
straint simplification rules from the theory of real numbers to (symbolic) con- 
straints in order to transform these constraints into an equivalent normal form. 
Since the symbolic inference changes the term structure of constraints, it direc- 
tly influences the corresponding first-class propagators. It starts or terminates 
first-class propagators connected to the relations and non-alien functions of the 
terms changed by the application of rewrite and constraint simplification rules. 
One of the rewrite rules used by CoSZE is the following. 

(h ■ t 2 )/(ti ■ t 3 ) [h > 0] => t 2 /t 3 



(1) 
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If the condition t\ > 0 holds, then the rule cancels out a common factor t\ 
in a fraction. When the symbolic inference procedure receives, for instance, the 
constraint a > OAE < (a-e)/(a-M), it creates new RI- variables for E, M, e, and 
a (in case they do not exist yet) and computes new first-class propagators for the 
relations > and < and for all occurrences of the functions / and •. The rule (1) 
is applied, to the term (a ■ e)/(a- M), which is transformed to the normal form 
e/M. Thus, the first-class propagators for • in (a - e) and (a - M) are terminated. 

The symbolic inference applies constraint simplification rules to detect in- 
consistencies as early as possible, e.g., 

(ti < *2 ) A (i 2 < t 3 ) A (i 3 <ti) => T (2) 

For instance, the constraint X < Y + Z A Y + Z < W A W < X, already 
mentioned above, is instantly simplified to _L by the application of rule (2). With 
pure numeric inference it would take several minutes to detect this inconsistency. 

Search. The search procedure of CoSZE collects all constraints of the leaf nodes 
of the context tree in a single computation space, the root space of the search 
tree. As described below, the search may create new computation spaces. The 
search procedure checks recursively for each space whether it is inconsistent or 
contains a solution. For each computation space, propagation reduces the do- 
mains of the variables. Additionally, the symbolic inference applies term rewrite 
rules and constraint simplification rules to transform the constraint store into 
a solved form, to compute a unique symbolic smallest (greatest) upper(lower) 
bound for each variable, and to detect inconsistencies as early as possible. A set 
of constraints in solved form does not contain any redundant or trivially valid 
constraints, e.g., 0 < 1. One of the simplification rules is 

( X < ti) A (X < t 2 ) => X < niin{fi,f 2 }, 

where the t* are arithmetic terms and A is a problem variable. When propaga- 
tion has reached a fix-point and no rewrite and constraint simplification rules 
are applicable, the space whose state is not failed is said to be stable. For a 
stable space with undetermined variables a distribution algorithm computes al- 
ternatives for the values of a carefully chosen variable X. The search algorithm 
uses these alternatives to create new disjunctive branches in the search tree, i.e., 
new computation spaces for every alternative for the domain of X. The new 
computation spaces contain exactly one of the alternatives and are submitted 
to recursive exploration again. The entire process is aborted as soon as a solu- 
tion is found. For instance, if a variable X is constrained by 0 < X A X < e, 
three alternatives for X are computed, expressed by the new constraints X = |, 
X < |, and X > |. 

4 Worked Example 

Iomega’s proof planner and the integrated constraint solver CoSZE could find 
proof plans for many theorems, examples, and exercises from two chapters of the 
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introductory analysis textbook [2]. The now extended constraint solver allows 
for correctly handling proofs plans that involve a case split. A case split produces 
alternative contexts of constraints. 

A proof that requires a case split is, e.g., the proof of the theorem ContlfDe- 
riv. This theorem states that if a function /: IR — > IR has a derivative /'(a) at a 
point a € IR, then it is continuous in a. In the following, we briefly describe those 
parts of the planning process for ContlfDeriv that are relevant for the integrated 
constraint solving. Let’s assume a formalization of the problem that implies an 
initial planning state with the assumption (1): 

0 h Vei(ei > 0 -> 3<5i(5i > 0 -s- (Vxi(|*i - o| < 61 -> ((n * a) ->■ (| ~ /»l < ei)))))) 

and the planning goal 5 

0 h Ve(e > 0 — > 3 8(8 > 0 — ► (Va:(|x — a\ < 6 — ► | f(x) — f(a)\ < e)))) 




Fig. 4. The proof plan of ContlfDeriv. 



The proof planner finds a proof plan for ContlfDeriv as depicted in the screen 
shot in Fig. 4. During proof planning, the following constraints are passed to the 
constraint solver CoSXE : 



3 h £1 > 0 
A h D < Si 
A, (.Yi ^ a) h 0 < M' 

A,(X! /o)h |/'(a)| < M‘ 

A, (A'l ^ a) h El < e/(2 * M) 



A h <5i >0 
A, (A'i ^ a) h 0 < M 
A, (A'i ^ a) h D < M 
A, (A'i ^ a) h D < e/(4 * M' ) 
A, (A'i = a) h Xi = x , 



5 In this formalization the definitions of limit and derivative have already been expan- 
ded but this is not crucial for the purpose of this paper. 
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Fig. 5. The context tree for ContlfDeriv. 



where A consists of the proof assumption (1) and the constraints e > 0 and 
D > 0. The problem variables D, X\, and E\ correspond to 8,x i, and e± in the 
formalization of the problem. M and M' are auxiliary variables introduced by a 
planning operator. 

The context tree for ContlfDeriv is shown in Fig. 5. Note that the two bran- 
ches correspond to the branches of the proof plan that originate from a case split 
on ( Xi = a V X i/a). The shaded nodes correspond to the shaded plan nodes 
in Fig. 4. 

At the end of the planning process, CoSIE computes the following answer 
constraint: 



Ei > 0 A <i > 0 A C < Ji A 
(A'i ^ a 0 < M A D < M A 

0 < M' A |/'(a)l < M' A 
Ei < e/(2 • M) A 
D < e/(4 • M')) ) A 
(A'i = a -► Ai = x )). 

The search procedure of CoSIE computes the following witnesses for the 
problem variables of ContlfDeriv: 

D = min{8i, } , A'i - x . E, s= 2 • (\f'(a)\ + 1) , M = D , 

M' = (|/»| + 1). 

These witnesses satisfy the Eigenvariable conditions foi'bidden(E i) = {<5i} and 
forbidden(D) = {x}. 

5 Conclusion 

The main theme of this paper is the integration of constraint solvers into proof 
planning and the nonstandard requirements caused by proof planning. Since off- 
the-shelf constraint solvers are typically geared towards other applications, we 
address generic extensions of a standard constraint solver that may also extend 
the potential application areas of constraint solving. 
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The reasons for the extensions are manifold: the constraint solver’s service 
has to be integrated into the proof planner in a logically correct way, the con- 
straints are usually not purely numeric, and the control of proof planning, e.g., 
backtracking, has to be matched on the constraint solver’s side. 

The programming language Oz is well-suited for the extensions reported in 
this paper because it provides concurrent propagation-based constraint inference 
encapsulated in computation spaces. The development of first-class propagators 
in Oz has been initiated, among others, by our need to combine numeric and 
symbolic constraint inference. Additionally, Oz provides the means for building 
new constraint systems from scratch that are as efficient as the built-in ones. 

Related Work. A few theorem proving systems directly include specially designed 
decision procedures for constraint domains, e.g., [4], or a constraint solver [20]. 
All these systems tightly integrate the constraint solving into theorem proving 
rather than integrating an external, stand-alone constraint solver. And, of course, 
none of them does proof planning. 

Our previous work [11] mainly dealt with interfacing and integrating the spe- 
cially designed external constraint solver Lineq into proof planning by designing 
(Tell and Ask) operators, interface functions, and instantiation procedures. We 
also investigated with the merits/benefits such an integration can have for proof 
planning if applied appropriately and correctly [13]. We knew that additional 
features of the constraint solver are needed but did not elaborate on this. Now 
CoSIE has been developed based on our previous experiences with symbolic 
constraint solving and based on the RI- module constraint solver of Mozart. 

SoleX [15] is a general scheme for the extension of the constraint language of 
an existing constraint solvers preserving soundness and completeness properties. 
It combines symbolic and numeric inference in a sequential way. We used the 
SoleX approach to handle so-called alien terms in the constraint language of 
CoSIE. Constraint handling rules [7] define constraint theories and implement 
constraint solvers at the same time. 

A context is used in the constraint logic programming language CAL [1] 
to handle guarded clauses. Running a CAL program results in a context tree. 
Therefore, context trees in CAL are conceptually different to the context trees 
presented in this paper. 
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Abstract. The effective integration of decision procedures in formula 
simplification is a fundamental problem in mechanical verification. The 
main source of difficulty occurs when the decision procedure is asked 
to solve goals containing symbols which axe interpreted for the prover 
but uninterpreted for the decision procedure. To cope with the problem, 
Boyer & Moore proposed a technique, called augmentation , which extends 
the information available to the decision procedure with suitably selected 
facts. Constraint Contextual Rewriting (OCR, for short) is an extended 
form of contextual rewriting which generalizes the Boyer & Moore inte- 
gration schema. In this paper we give a detailed account of the control 
issues related to the termination of CCR. These are particularly subtle 
and complicated since augmentation is mutually dependent from rewrit- 
ing and it must be prevented from indefinitely extending the set of facts 
available to the decision procedure. A proof of termination of CCR is 
given. 



1 Introduction 

The effective integration of decision procedures in formula simplification is one 
of the key problems in mechanical verification. Unfortunately the problem is not 
easy: while it is relatively straightforward to plug a decision procedure inside a 
prover, to obtain an effective integration can be a challenge. The main source of 
difficulty occurs when the decision procedure is asked to solve goals containing 
symbols which are interpreted for the prover but uninterpreted for the decision 
procedure. In such situations it is often the case that the decision procedure can 
not solve the problem and therefore it is of no help to the prover. 

To cope with the problem, Boyer & Moore [4] devised and implemented a 
heuristics, called augmentation , which extends the information available to the 
decision procedure with facts encoding properties of the symbols the decision 
procedure does not know anything about. In the Boyer & Moore experience the 
heuristics is crucial to obtain an effective integration: they found out that without 
the heuristics the decision procedure is of limited use, whereas its introduction 
improves dramatically the performance of the prover (both in speed and in de- 
creased user interaction). 

* We are indebted to Michael Rusinowitch and Sorin Stratulat for many helpful discussions. We 
are grateful to Enrico Giunchiglia for very useful feedback on an early draft of this paper. The 
authors are supported in part by Conferenza dei Rettori delle Universita Italiane (CRUI) 
in collaboration with Deutscher Akademischer Austaunschdienst (DAAD) under the Vigoni 
Programme. 

H. Kirchner and C. Ringeissen (Eds.): FroCoS 2000, LNAI 1794, pp. 47-61, 2000. 
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The problem with the augmentation heuristics is that it greatly complicates 
the integration schema and sophisticated control strategies are needed to control 
the augmentation activity. The complexity of the resulting integration schema 
(together with the fact that in the 40 page long description available in [4] high 
level design decisions are intermixed with optimizations) has probably discour- 
aged many, thereby preventing a wide use of the approach. 1 

Constraint Contextual Rewriting [1] (CCR(X) for short) is a generalized form 
of contextual rewriting [21,20] which incorporates the functionalities provided 
by a decision procedure. The services of the decision procedure are characterized 
abstractly and the notation CCR(X) (by analogy with the CLP(X) notation used 
to denote the Constraint Logic Programming paradigm [11]) is used to stress the 
independence of CCR(X) from the theory decided by the decision procedure. In 
the same paper we showed that contextual rewriting as well as the integration 
schemas employed in the simplifiers of nqthm [4] and Tecton [14] are instances 
ofCCR(X). 

This paper extends [1] by providing a detailed account of the control issues of 
CCR(X). These are particularly subtle and complicated since (i) augmentation 
is mutually dependent from rewriting and (ii) augmentation must be prevented 
from indefinitely extending the set of facts available to the decision procedure. 
In this paper we refine CCR(X) so to ensure its termination. Notice that the 
problem of termination is not even mentioned in [4]. 

Similarly to [4] our work is addressed to those interested in the effective 
integration of decision procedures in larger provers or in the design of decision 
procedures intended for such a purpose. By using CCR(X) as a reference model, 
the problem of the integration of decision procedures in formula simplification is 
reduced to the implementation of a decision procedure for the fragment of choice 
whose interface functionalities are as specified in the paper. 

It is worth emphasizing that we do not address the problem of combining 
decision procedures as done, e.g., in [19,17,6]. Instead, we focus on the com- 
plementary problem of integrating (or incorporating ) decision procedures (either 
compound or not) within formula simplification. 

Plan of the paper. We begin in Section 2 by means of an introductory dis- 
cussion on contextual rewriting. Section 3 presents in details (the refined version 
of) CCR(X) and includes a thorough discussion on augmentation and the con- 
trol problems it introduces. The soundness and termination of CCR(X) are then 
formally stated in Section 4 and the proof of termination is given in the same sec- 
tion. The related work is discussed in Section 5 and some conclusions are drawn 
in Section 6. 



2 Contextual Rewriting 

Contextual rewriting is an extended form of conditional rewriting whereby in- 
formation contained in the context of the expression being rewritten is used by 

1 To our knowledge — if we exclude nqthm and its descendant ACL2 [15] — Tecton [13] is the 
only prover based on the Boyer & Moore’s original ideas. 
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the rewriting activity. To illustrate, let us consider the problem of rewriting the 
literal p occurring in the clause {p} U E via a set of conditional rewrite rules, 
say R. The key idea of contextual rewriting is that while rewriting p (the focus 
literal) it is legal to assume the truth of the set of negations of the literals in E 
(the (rewriting) context). 

Example 1. Let R contain the conditional rule 

f(U) = f(V) -4 r(g(U, V),U) = U (1) 

and let |r(g(y , z),x) = x, g(x,y) ^ g(y,z),y ^ x} be the clause to be simpli- 
fied. If we take r(g(y, z),x) = x as focus literal, then the context is (g(x,y) = 
g(y, z),y = x}. Notice that the left hand side of (1) does not match with the left 
hand side of the focus literal. However, the first element of the context, namely 
g(x,y) = g(y,z), allows us to rewrite the focus literal to r(g(x,y),x) = x. The 
left hand side of (1) now matches with (the rewritten version of) the focus. (1) 
can then be applied (leaving us with the identity x = x) provided that the con- 
dition f(x) = f(y) can be established. f(x) = f(y) is not a consequence of R, 
however it readily follows from the fact y = x occurring in the context by the 
properties of equalities. * 

As the previous example illustrates, the context is used both (i) to rewrite the fo- 
cus literal (possibly enabling the application of rewrite rules) and (ii) to establish 
the conditions of conditional rewrite rules. In both cases the kind of reasoning 
applied amounts to reasoning about the properties of ground equalities. Indeed a 
decision procedure for ground equalities, as described for instance in [18], suffices 
to support contextual reasoning and hence to mechanize the reasoning of Exam- 
ple 1. The key observation here is that contextual rewriting can be obtained by 
combining traditional conditional rewriting with a “decision procedure” capable 
of deciding whether any given literal is entailed by the context and normalizing 
expressions w.r.t. the information available in the context. 2 Furthermore the pat- 
tern of interaction between rewriting and the decision procedure does not depend 
on the theory decided by the decision procedure. CCR(X) is then the result of ab- 
stracting contextual rewriting from the theory decided by the decision procedure 
employed. The traditional notion of contextual rewriting therefore becomes an 
instance of CCR(X) whereby X is instantiated by a decision procedure for ground 
equalities and new forms of contextual rewriting can be obtained by instantiating 
X to decision procedures for different decidable theories. 

To illustrate, let us assume that X is instantiated to a decision procedure for 
total orders and let us consider the following variant of Example 1. 

Example 2. Let R contain the conditional rule 

g(U, V) < U -> r(g(U, V),U) = U (2) 

and let r(g(y,z),x) = x and {x > g(y, z), g(x,y) < g(y, z), g(x,y) > g(y,z)} 
be the focus and the context respectively. Similarly to Example 1, the left hand 

2 Consistently with the literature we use the term decision procedure in a very liberal sense. 

A precise definition is given in Section 3.3. 
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side of (2) does not match with the left hand side of the focus literal. However, 
since g(x,y) = g(g,z) is a logical consequence of the context we assume that 
the decision procedure rewrites the focus literal to r(g(x,p),x) = x. This step 
enables the matching of the left hand side of (2) and therefore we are left with 
the problem of establishing the condition g(x,p) < x which is easily found to be 
a consequence of the context by the decision procedure. a 

It is worth pointing out that contextual rewriting differs from conventional rewrit- 
ing in two essential ways. Firstly proofs do not have a linear structure. This fea- 
ture (inherited from conditional rewriting) is due to the presence of subsidiary 
proofs needed to establish the conditions of conditional rewrite rules. This re- 
sults in a hybrid notion of proof which combines the linear structure of reduction 
proofs with the tree-structured proofs of sequent calculi. Secondly, due to the 
dependency from the context, rewriting is a ternary relation and not a binary re- 
lation as in conventional rewriting. These considerations motivate the definition 
of contextual reduction systems introduced in Section 3.2. 

3 Constraint Contextual Rewriting 

3.1 Preliminaries 

By £, 77 (possibly subscripted) we denote finite sets of function and predicate 
symbols (with their arity), respectively. A signature is a pair of the form (£, 77). 
V (possibly subscribed) denotes a finite set of variables. 3 t(A, V ) is the set of 
terms built on £ and V and defined in the usual way. t(£) abbreviates t (£ , 0), 
i.e. the set of ground terms. For the sake of simplicity we consider quantifier-free 
first-order languages and we assume the usual conceptual machinery (e.g. the 
notion of substitution and the definition of position in an expression) as given, 
e.g., in [7]. A ( £,II,V)-atom is either an expression q(t\, . . . ,t n ) where q £ II 
and ti £ t(£,V) ( i = l,...,n) or one of the propositional constants true and 
false denoting truth and falsity respectively. (£, II, V) -formulae are built in 
the obvious way using the standard logical connectives (i.e. -i, A, V, -A, -<->■). A 
(A, 77, V)-literal is either a (A, 77, H)-atom, p(ti, . . . , f n ), or a negated (A, 77, V)- 
atom, -ip(ti,... ,t n ), and ti,... ,t n are the arguments of the literal. The set of 
(A, 77, V) -expressions is the union of t{£ % V) and the set of (A, 77, V)-fbmmlae. 
We write (£, T7)-atom (-literal, -expression) instead of (£, 77, 0)-atom (-literal, 
-expression). A (£ ,77, V) -clause is a disjunction of literals which we indicate as 
finite set of (A, 77, V’)-literals. We will write s ^ 7, s </L t, . . . in place of -i(s = 7), 
— i(s < 7), ... (resp.). e ~ e' stands for g = e' (e ++ e r ) if e and e' are terms 
(formulae, resp.). If a is an atom, then a abbreviates — i a and WJ stands for a. 
If Q is a set of literals, then Q abbreviates {q : q £ Q}, Q ► p abbreviates the 
clause Q U {p}, and f\ Q abbreviates any conjunction of all the literals in Q. 

3 We use different fonts to emphasize the distinction between the variables and the symbols 
occurring in signatures and the symbolism used in the informal presentation. For instance we 
use the notation “x” for a symbol which is part of a given signature, “X” (capital letter) for 
a variable, and use the notations “a;” and “X" in the informal metamathematics. Similarly 
we use the notation =,<, <, >, > when these symbols belong to a given signature, and use 
the notation =,<,<,>,> when they belong to the informal metamathematics. 
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If <j> is a (£, 77 , V) -formula and r is a set of (£, 77, V’)-formulae, then 6 is 
a logical consequence of T iff T [= <p, where |= denotes entailment in classical 
logic. A (X, 77, V) -theory is a set of (£, 77, V) -formulae closed under logical con- 
sequence. If T is a theory, then r \ =t 4> abbreviates T U r \= 6. & is T -consistent 
iff there exists a model of T U {<)>} , and T -inconsistent otherwise. pisT -valid iff <p 
is a logical consequence of T or, equivalently, iff <p £ T; d> and ip are T -equivalent 
iff (<fi ££ ip) is T-valid. 

In the following we consider two theories T c and Tj of signature (X c , 77 c ) and 
( £j,IIj ) respectively s.t. £ c C Ej, TI C C IJj, and T c C Tj. The objective will 
be to simplify ( Ej . IJj (-expressions using a decision procedure for T c (hence T c 
is assumed to be decidable). 



3.2 Contextual Reduction Systems 

We now introduce the notion of contextual reduction system by generalizing that 
of abstract reduction system given in [16]. This will be useful to specify CCR(X) 
in a way that is precise , concise , and incremental at the same time. 

Let jC be a set of labels. For all f £ £. let. C(. E( be sets of expressions and 
S{C(, E{) be the set of sequents of the form c:: e—£ e' for all c £ C( and e, e' £ E{. 

A contextual reduction system (CRS for short) is a structure {{S(Cf, E()}{ e c , 1Z), 
where 7v is a set of inference rules of the form: 4 



c\ :: e r 






c :: 



:: e-4e' 



if Cond 



( 3 ) 



where the r above the arrow in the conclusion of the rule is the name of the 
inference rule. An 7 - reduction of eo to e m in context c is an expression of the 

form c :: en — b e\ — . . . e m _i e m with m > 1 s.t. either m = 1, e\ = en, 
i i ( ~ 



and III = [] (called trivial reduction) or c :: e*_i — >ei (for i = 1,... ,m) is the 

(-i 

conclusion of an inference rule with premises c^j :: e;,j- — for j = 1, . . . ,n.; 

and the j- th element of 77 \ is an 7j 5 j-reduction of to e( j in context a,j. 
c :: eo -£* e m ( c :: eo -^> + e m ) denotes the existence of a (non trivial, resp.) 
7-reduction of eo to e„, in context c. 

Let 5 and S’ be 7-reductions s.t. 5 1 properly occurs in 5. We say that 5 1 is a 
maximal 7-reduction properly occurring in S iff there is no other 7-reduction 6" 
properly occurring in S and 8‘ properly occurs in S". A CRS is terminating iff 
there exists a family of well-founded relations {-Ajfec suc h that for all 7 £ C and 

for all 7-reductions cue e' we have that (c, e') -<( (c, e) and if c\ :: c\ e[ 



is a maximal 7-reduction properly occurring in 77 then (ci,ei) -<( (c, e). 



4 For termination it is convenient to implicitly assume (as we do in the sequel) that the con- 
dition e! yt e is in Cond. 
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3.3 Reasoning Specialists 

According to the usual definition, a decision procedure for T c is a procedure 
which takes a (S c , I7 c )-formula as input and returns a ‘yes-or-no’ answer indicat- 
ing whether the input formula is T c -consistent or not. Unfortunately, although 
simple and conceptually elegant, this definition is seldom adequate in practical 
applications. Efficiency considerations require the procedure to be incremental , 
i.e. capable of processing parts of the input problem as soon as they become 
available. Moreover, the procedure is often required to return more than a yes- 
or-no answer. For instance, it can be required the ability of “normalizing” any 
given expression w.r.t. the information available in its internal state (cf. Exam- 
ple 2). This generalized notion of decision procedure is captured by the notion 
of reasoning specialist. A reasoning specialist is a state-based procedure whose 
states (called constraint stores ) are finite sets of (A c ,i7 c )-literals represented in 
some internal form and whose functionalities are abstractly characterized in the 
following way. 5 

Initialization of the Constraint Store. The first functionality we consider 
is the relation cs-init(C') which characterizes the “empty” constraint stores. 
cs-init(C) is required to be a decidable relation s.t. cs-init(C) holds only if 
C is Invalid. 

Detection of Inconsistency. cs-unsat(C) characterizes a set of T c -inconsis- 
tent constraint stores C whose T, .-inconsistency can be checked by means of a 
computationally inexpensive syntactic check. We require that cs-unsat(C) is 
decidable and that cs-unsat(C) implies the T c -inconsistency of C. 

Constraint Store Simplification. The main functionality of the reasoning 

specialist is a transition relation over constraint stores, P :: C )■ O', which 

cs— simp 

models the activity of adding a finite set of (Sj, I7j)-literals P to C yielding a 
new constraint store C . The relation is required to enjoy the following properties: 

(sound. cs-simp) if P :: C >C, then P, ||Cj| |=t c A ||C , ||; 

cs— simp 

(decreasing. cs-simp) if P:: G »C", then { P,G')-< CS (P,G ); 

cs— simp 

where -< cs is a well-founded relation over pairs of the form (P, C). 

Normalization. C :: s > s' computes a normal representation of s w.r.t. 

cs— normal 

the information stored in C and must enjoy the following properties: 

(sound. cs-normal) if C :: s »s', then ||Cj| | =t c s ~ s'; 

cs— normal 

(decreasing. cs-normal) if C :: s >s', then s' -< e s; 

cs— normal 

5 If C is a constraint store, then ||Cj| denotes the set of literals represented by C. To simplify 
the presentation we will often blur the distinction between constraint stores and the formulae 
they encode. For instance, we will talk about the consistency of C meaning the consistency 
of IIC'll- 
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c 


edges (c) 


c 


edges (c) 


ti < to 
ti 7^ t 2 

h ^ to 


{(fi, <,£ 2 )} 
{(tl,^,t2)} 
{(t2,<,tl)} 


tl = t2 
ti < t.o 
tl ^ t 2 


{(tl, <,£ 2 ), {t2, <,ti)} 
{(tl,<,t2),(tl,^,t 2 )} 
{(t2,.<Gl),.(tl,7^,t2)} 



Table 1 . Definition of edges (c) 



where -< e is a reduction ordering over (Ej, IIj,V)-ex pressions (i.e. a well-founded 
relation closed under substitution and replacement) containing the sub-expression 
relation. 



Example 3 (A reasoning specialist for total orders). Let 77 c = {=,<,<,>,>}. 
T c is a (E c , II C )- theory for total orders. We consider labeled directed graphs of 
the form G = ( N,E ) where N C t(E c ) and E C (N x L x N) where L is 
a finite set of edge labels. The set of nodes and the set of edges of G are de- 
noted by Af(G) and £(G) respectively. Constraint stores are labeled directed 
graphs (called transitivity graphs ) C = ( N,E ) s.t. N = t(E c ), L = {<, 7 ^ 
}, and if (x,^,y) € E then (y,^,x) € E. cs-init(C) holds iff £(C) = 0 . 
cs-unsat(C') holds iff C contains an edge of the form (ti,^,t 2 ) and t\ and 
to occur in a strongly <-connected subgraph of G. If P is a set of literals, 
then let Edges (P) = (J ceP edges (c) with edges (c) defined as in Table 1 if c is 
a (E c , I7 c )-literal and edges(c)=$ otherwise. Furthermore, we define edges(t\ > 
to)= edges (to < t\), edges(t\ ft t-2) — edges(ti < to), edges(t\ > t2)—edges(t-2 < 
ti), and edges (t 1 t2)= edges (ti < ^2)- P ■■ C >G' holds iff Edges (P) % 

cs— simp 

£(C) and in such a case C' = (Af(G),£(G) U Edges(P)). From this it readily 

follows that Edges (P) C £(C') and this suggests that a suitable definition for 

-< cs is {P',C')< CS (P,C) = \Edges(P')\£(C')\ < \Edges(P)\£(C)\. The well- 

foundedness of -< es is a straightforward consequence of the well-foundedness of 

the relation of (proper) set inclusion over finite sets, (decreasing. cs-simp) readily 

follows from the above observations. G :: e > e' is defined to hold when- 

cs— normal 

ever e = e[s]. !t , e' = e[t] u , e' -< e e, and s and t occur in a strongly <-connected 

subgraph of C. ||(7|| is the set of atoms r(s,t ) s.t. there exists an edge ( s,r,t ) 

in C. It is easy to verify that > and > enjoy (sound.cs-simp) and 

cs— simp cs— normal 

(sound. cs-normal) respectively. ★ 



3.4 Clause Simplification and Rewriting 

A simple form of clause simplification can be modeled as the binary relation over 
clauses, », defined by the following rules: 

simp 
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E U {true} d true > {true} 



E U {false} d ~ mse > E 

simp 



E::Co 



cs— extend 



X7 C::p- 



Eu{p} Sh^ Eu{p > } 

simp 



if cs-init(C'o) 



The inference rule cl- true (cl- false) specifies how to simplify a clause when the 

constant true (false, resp.) is in it. cl-simp says that a literal p in a clause ELi{p } 

can be replaced by a new literal p' obtained by constraint contextually rewriting p 

in context C (premise C :: p — >p r ), where C is obtained by extending the empty 

ccr 

rewriting context C 0 (condition cs-init(C'o)) with the negated literals in E 

(premise E :: C 0 > C). > is a ternary relation modeling the interface 

cs— extend cs— extend 

with the reasoning specialist that for the time being we assume it coincides with 

the >■ relation, i.e. it is defined by: 

cs— simp 



P:: C >C 

cs— simp 

p .. q cs-simp ^ 
cs— extend 



where P is a finite set of (T,, 17, ) -literals. The f relation is introduced 

cs— extend 

for modularity reasons and will be extended in Section 3.5. 

Let R be a finite set of Tj -valid clauses. The (ternary) constraint contextual 
rewriting relation — > is defined by the following three rules. A literal p can be 

ccr 

rewritten to true in rewrite context C if the result of extending the context with 
the negation of the literal being rewritten yields an inconsistent rewrite context. 
This is formalized by: 






cs— extend 






ext— entails , . 

G :: p f true 



.£ p is a (Ej, 77 c )-literal, 
cs-unsat(G') 



The activity of normalizing an expression w.r.t. the information stored in the 
rewriting context is modeled by: 

C :: e \e’ 

cs— normal 



si normal , , 

C :: e >e 

ccr 



Finally conditional rewriting is formalized by: 6 



C :: Qa — 1 0 ( Q — ¥ l — r) £ 1?., 

if <7 is a ground substitution s.t. 

( S fi cr ]« ccr 5 s L rcr ] u Qa U {s[m]. u } -4< e {s[/cr]. u } 

By abuse of notation we write C:: Q — s-0 in place of C : : q — s- true for all q g Q. 
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i.e. rewrite the sub-expression la at position u in the expression s to the sub- 
expression ra in the rewriting context C if a clause of the form (Q — > l = r) 
is in R, a is a ground substitution s.t. all the expressions in Qa U {s[rer]. !( } are 
-A-smaller than s[la] u , and the instantiated conditions Qa can be recursively 
established in the same rewriting context C. -4< e is the multiset extension of -<: e . 

3.5 Augmenting the Constraint Store 

Although the notion of CCR(X) we have defined so far is already a significant 
improvement over contextual rewriting, there is obviously still room for improve- 
ment. A serious limitation is revealed by the situation in which the rewriting 
context is 7} -inconsistent but not -inconsistent. When this is the case, the 
Tj-inconsistency of the rewriting context can not possibly be detected by the 
reasoning specialist. The occurrence in the rewriting context of (function) sym- 
bols interpreted in Tj but not in T c is the main cause of the problem. The key idea 
of augmentation is to extend the rewriting context with Tj-valid facts, thereby 
informing the reasoning specialist about properties of function symbols it is not 
aware of. By adding Tj-valid facts to the rewriting context, the heuristics aims 
at generating a Ty -equivalent but T c -inconsistent context whose Tj-inconsistency 
can therefore be detected by the reasoning specialist. The selection of suitable 
Tj-valid facts is done by looking through the available lemmas. 

Example 4 ■ Let Tj be a theory of natural numbers with the usual interpretation 
of the symbols. Let E c = Ej and let IJ C , T c , and >- be as in Example 3. 

cs— simp 

Under such hypotheses, the following formula 

X > 4 -»■ X 2 < 2 X (4) 

is in Tj, but not in T c . Let us now consider the problem of establishing the 
Tj-inconsistency of the set of literals 

P = {a > 4,b < a 2 ,2 a < b} (5) 

If we add P to an initial constraint store, C 0 , by means of the > relation, 

cs— simp 

we get a new transitivity graph C comprising the edges (4, <,a), (b, <,a 2 ), 
(2 a ,<,b), and (2 a ,^,b). C (and hence P ) is trivially T-consistent since no 
strongly <-connected subgraphs are in it. On the other hand it is also easy to 
verify that (5) is Tj- inconsistent. If (4) is an available lemma, then from it we 
can obtain the instance 



a 2 < 2 a (6) 

by instantiating X to a and relieving the condition a > 4 using C as rewriting 
context. Now, it is easy to verify that if we add (6) to C we get a new transitivity 
graph C' in which 2 a and b occur in a <-connected subgraph and a ^-labeled 
edge linking 2 a with b does exist. Therefore C' is T c -inconsistent. 

Notice that the task of establishing the Tj-inconsistency of (5) falls largely 
beyond the scope of a decision procedure for total orders. The problem is never- 
theless solved thanks to the use of the augmentation heuristics. * 
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In the above example a single lemma (namely (4)) is available and a single in- 
stance of the lemma suffices to detect the inconsistency of the constraint store. 
In the general case, several lemmas may be available and multiple instances of 
each lemma can potentially be helpful in detecting the inconsistency of the con- 
straint store. Also, in our example the condition a > 4 is immediately found to 
be a consequence of the constraint store whereas in the general case augmenta- 
tion may also be necessary to establish the conditions of the lemmas. A form of 
augmentation capable to handle all these situations is obtained by extending the 

definition of with the following rule: 

cs— extend 



C :: Qo — > 0 



C :: co — >c' 
ccr 



{c'} :: C- 



->C 



cs— simp 



p p naive— augment^ 
cs— extend 



( Q — > c) £ i?, 
if co is a (Sj, I7 C ) -literal, 
Qo -K e {ccr} 



This inference rule states that the rewriting context can be extended with a new 

literal c' provided that a clause of the form ( Q -» c) is in R , o is a substitution 

s.t. Qo -4I e {ccr}, the instantiated hypotheses Qo can be established, and d is 

the result of (constraint contextual) rewriting ccr. The rationale for applying 

— ^ to ccr is that rewriting can replace some of the symbols in ccr with symbols 
ccr 

the reasoning specialist knows about (e.g. by unfolding definitions), therefore the 
addition of d in place of c enhances the probability of detecting the inconsistency. 

The problem with the above rule is that it compromises the termination of 
CCR(X). We recall from Section 3.2 that for CCR(X) to be terminating, there 
must exist a well-founded relation -< C s-extend s.t. for all cs-extend-reductions P :: 

C — — >- C' we have that (P, C') A cs -extend (P, C) and if Pi :: C\ — — — » • • • is 

cs— extend cs— extend 

a maximal cs-extend-reduction properly occurring in 77 then (P| , C\ ) A C s-extend 
(P, C). But this is not the case in general. For instance, it is possible to have maxi- 
mal cs-extend-reductions properly occurring in 77i of the form { p } :: C — » • • • 

cs— extend 

where p is s.t. G :: plo — »* p and p £ Q. For termination {{p},C) A C s-extend 

ccr 

(P, C) must hold, but this is not true in general (e.g. when P = {p}). 

To retain termination the following, more elaborate, version of augmentation 
is needed: 

C' :: Qo — > 0 C'::co—>d {d}::C >C" (Q -> c) G R, 

ccr ccr cs-simp ccr is a (Sj , 77 c )-literal, 

p .. p augment ; (P, C, d) (C',o) 

cs— extend Qo {ccr} 

where (P, C, c) ha {C 1 , o) models the functionality of computing a new constraint 
store C' and a ground substitution o given a constraint store C. a finite set of 
(Sj, 77j)-literals P, and a (Ej, 77 c , F)-literal c as input. 



Selection of Constraints. The ha relation is required to enjoy the following 
properties: 7 

7 The functionality modeled by H- is provided by the reasoning specialist and therefore it 
conceptually belongs to the list of functionalities given in Section 3.3. 
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(sound. select) if (P,C,c) (C',a) then ||C'|| = ||Cj|; 

(decreasing. select) if (P, C, c) (C", a) then {co} -< e (PU||Cj|) and (P 1 . C')^ CS (P, C) 
for all P' fff (P U HCII). 

(sound. select) says that C 1 has the same logical content of C. 8 (decreasing. select) 
says that the selected constraint, ca , is not ~< e -bigger than any element in PU||C7|| 
and that (. P',C' ) is -< cs -smaller than (P, C) whenever F'^'(PU ||C||). This 
property is fundamental for the termination of CCR(X). 

The introduction of augmentation introduces additional constraints on -< cs 
(we recall from Section 3.3 that -< cs is a well-founded relation): 

( cs-precl ) (P, C) f s (FUP',C); 

( cs-prec2 ) if {P, C)< CS {P, C') then (P U P\ C)4 CS {P U P', C); 

(cs-prec3) if P‘ (P U ||C7|| ) then (PuF',C)x C! (P,C). 

where is a symmetric and transitive relation whose strict version coincides 
with -< cs and x 08 is the associated equivalence relation, (cs-precl) and (cs-precS) 
state obvious properties related to the operation of extending P with new ele- 
ments. (cs-prec3) states that by extending the first component of a pair ( P,C ) 
with literals which are no -< e -bigger than those already in (P,C) we get a x cs - 
equi valent pair. 

The following example shows that the above properties are easily realizable. 
Notice that this obviously requires a good understanding of the inner workings of 
the reasoning specialist, but no knowledge of the rewrite or simplification engines 
is needed. 

Example 5 (A reasoning specialist for total orders — continued). Let iA = L U 

and define Edges^(P) = {(s,A,t) : ( s,r,t ) <E Edges(P)}. (P,C,c) 

( C',a ) holds iff ca is a (S c , II C ) -literal whose arguments are non-isolated 

nodes of C or arguments of the literals in P s.t. Edges^ ({ca}) £(C), and in 

such a case C = (N(C),£(C) U Edge.s\{ca})) . The role of the edges of the form 

( s , A, t) is to keep track of the edges currently being added by the augmentation 

heuristics and to prevent the selection of candidate constraints which would lead 

to the addition of the same edges. This prevents augmentation from looping. 

cs-init(C), cs-unsat(C'), and ||(7|| are defined as in Example 3 (i.e. they ignore 

the edges of the form (s,A,t)). In the following, the complementary graph, of a 

graph (N, E) (where E C (N x L x N)) is the graph (N, (N x L x N) \ E). 

(sound. select) trivially follows from the definition. To ensure termination 

we must first show the existence of a well-founded relation -< cs satisfying (cs- 

precl), ( cs-prec& ) , and ( cs-prec3 ), and then show that >• and enjoy 

cs— simp 

(decreasing. cs-simp) and (decreasing. select) respectively. To this end we asso- 
ciate each pair ( P , C) with a finite transitivity graph G(P , C) whose edges are 
those of C and whose nodes are the terms s s.t, there exists a term t which occurs 
as a non-isolated node of C or as an argument of the literals in P and s < e t. 
Notice that the set of nodes of G(P,C ) is finite. We define (P' , C')< CS (P, C) 

b For the soundness of CCR(X) it would be sufficient to require the T c -equi valence of C" with 
C. However, as we will see in Section 4, [sound. select) plays also a role in the termination 
argument. 
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iff G'i is smaller (according to the lexicographic combination of N' -4C N and 
E' C E ) than G -2 , where G\ and G 2 are the complementary graphs of G(P',C') 
and G(P, C), respectively. The well-foundedness of -< cs readily follows from the 
well-foundedness of -4C and of the relation of (proper) set inclusion over fi- 
nite sets. ( cs-precl ), ( cs-prec2 ), and ( cs-prec3 ) directly follow from the defi- 
nition. In order to show that > enjoys (decreasing. cs-simp) it suffices to 

cs— simp 

observe that if P :: G >C' then , M(G(P,C ')) = Af(G(P,C)) and that 

cs— simp 

£(G(P, C)) C £(G(P,C')) C (. AT(G(P,C )) x id x M(G(P,C))). The proof of 
(decreasing. select) is a bit more involved and it is not given here for the lack of 
space. ★ 



4 Properties of Constraint Contextual Rewriting 



We are now able to state and prove two key properties of CCR(X): soundness 
and termination. Let CCR(X) indicate the CRS containing axioms for y 

cs— simp 

and > enjoying the properties stated in Section 3.3, the rules cs-simp , 

cs— normal 

cxt-entails , normal, and crew presented in Section 3.4, and the rule augment 
presented in Section 3.5. 

Theorem 1 (Soundness). CCR(X) is sound, i.e. 

1. if G :: e — y* e' , then ||Cj| | =T j e ~ e' ; 

2. if P :: C — f C' , then P,\\C\\ \= Tj Alls'll- 

cs— extend 



The proof is by induction on the structure of the reductions. It is fairly simple 
and therefore it is omitted. 

From Theorem 1 it readily follows the soundness of formula simplification, 
i.e. that d> y d>' only if \=r (d? fA d>'). 

simp ‘ 1 

Theorem 2 (Termination). CCR(X) is terminating. 



Proof. Let (C',e') P ca (C,e) = ({e'),C') A cs <{e},G) and {P',C') A cs - e xtend 
(P,C) = (P', C')p cs {P, C). Both relations are obviously well-founded since -< cs 

is. We prove that all the cs-extend-reductions P :: G — — > C" are s.t. (i) 

cs— extend 

(. P,C' ) Acs-extend (AG) and (ii) all the maximal cs-extend-reductions of the form 

Pi :: Ci — — — y ■ • • properly occurring in II are s.t. (Pi, Ci) -< cs -extend (P, C). 9 A 
cs— extend 

cs-extend-reduction P :: C — — > 6" can only be the result of the application 

cs— extend 

of the rules cs-simp or augment. 



9 

10 



— Rule cs-simp. We have that II = 



C ; — A C". 10 Condition (i) then follows from (decreasing. cs-simp) by 



P-.-.C- 



n, 



cs— simp 



A • • -C' 



for n > 1, i.e. P 



cs— simp 

The case corresponding to the relation — > is simple and therefore is omitted. 

ccr 

Notice that C" ^ C follows from the implicit condition ( P.C ') ( P,C ) — cf. footnote 4 in 

Section 3.2. 
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transitivity. Condition (ii) is vacuously true since Ip does not contain any 
cs-extend-reduction. 

— Rule augment. We have that 



n = 



Ci :: Q 




Ci :: ccr 




ccr 



c', {c'} :: Ci — — — > • • -C' 

cs— simp 



that is Ci :: per — »* true for all p £ Q, Ci :: ca — »* d (and therefore d 4 e 
ccr ccr 

ca ), and {c'} :: Ci » + C', where (Q — >■ c) £ R, { P,C,c ) (Ci,a), and 

cs— simp 

Qa 4< e {ca}. Since (P,C,c) (Ci,a) by {decreasing. select) we have that 



{ctr} Af (PU He'll) (7) 

(P,Ci) 4 CS <P,C) (8) 

Since {c'} :: Ci » + C' by (decreasing.es- simp) and the transitivity of 

cs— simp 

-<I CS we have 



{{d},C')^{{d},Ci) (9) 

and by ( cs-prec2 ) we obtain: 

<PU{c'},C")^"<PU{c'},C , 1 ) (10) 

Since d ca then by (7) we have that {c'} (P U ||C||) and by the 
{sound. select) we have that {c'J^JPU lie'll!). This fact and ( cs-prec3 ) 
allow us to turn (10) into (P U {c'j, C")=^ CS (P, Ci). By applying ( cs-precl ) 
we then get: (P C')^ CS {P, Ci) which together with (8) allows us to conclude 
(P,C')4 cs (RC). 

By looking at the available inference rules, it can be easily verified that all 
the maximal cs-extend-reductions properly occurring in 77i and 77o are of 

the form {q} :: C\ — >••• with q < e ccr . Condition (ii) can thus be 

cs— extend 

reduced to proving that ({g},C)8“(PC). This fact readily follows from 
( decreasing. select) . 

The termination of formula simplification, i.e. of the > relation, readily follows 

simp 

from Theorem 2. 



5 Related Work 

[14] describes the combination of a decision procedure for LA and a decision pro- 
cedure for ground equality and the integration of the compound procedure with 
rewriting using an integration schema which is essentially that of Boyer & Moore. 
The presentation of the integration schema is informal and the termination of 
the resulting form of simplification is not discussed. 

STeP [9] features a form of contextual rewriting integrated with a semi- 
decision procedure for first-order logic and a set of decision procedures extended 
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to deal with non-ground constraints [3,2]. However the interplay with rewriting 
is not addressed. On the other hand, the treatment of non-ground constraints is 
a significant extension which we have not yet investigated. 

[8] describes a prover which incorporates several decision procedures following 
the approach described in [17]. A form of augmentation is implemented via the 
use of matching rules , however the interplay between the decision procedures and 
the simplifier is presented informally and termination is not ensured. 

The work most closely related to ours is [12]. The paper presents an approach 
to the flexible integration of decision procedures into theorem provers by elabo- 
rating and extending the Boyer & Moore ideas. Termination of the resulting form 
of simplification is ensured but at the cost of loosing much of the efficiency of the 
Boyer & Moore schema. 

The Open Mechanized Reasoning Systems project (OMRS for short) [10] pro- 
vides a specification framework for supporting the activity of composing rea- 
soning systems. Similarly to OMRS we use a rule-based approach to specifying 
reasoning modules. A rational reconstruction of the logic level of the Boyer & 
Moore’s integration schema is reported in [5]. However the presentation is not 
abstracted from the specific decision procedure for LA and the control issues are 
not discussed. 

6 Conclusions 

We have presented a refined version of Constraint Contextual Rewriting which is 
guaranteed to terminate. The new version of CCR(X) retains the clear separation 
between rewriting and the decision procedure employed. Moreover the services 
provided by the decision procedure are specified abstractly (i.e., independently 
from the theory decided). This is in sharp contrast with the descriptions available 
in the literature in which the integration schemas are difficult to reuse and the 
fundamental properties of the resulting forms of simplification are not investi- 
gated. 

In future work we plan to investigate further properties of CCR(X). In par- 
ticular we plan to show that CCR(X) preserves the refutational completeness of 
many resolution-based proof procedures by generalizing the analogous result for 
contextual rewriting given in [20]. 

CCR is implemented in the system RDL (Rewrite and Decision procedure 
Laboratory) which can be retrieved via the Constraint Contextual Rewriting 
home page at http://www.mrg.dist.rmige.it/ccr/. 
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Abstract. Combining a standard proof search method, such as reso- 
lution or tableaux, and rewriting is a powerful way to cut off search 
space in automated theorem proving, but proving the completeness of 
such combined methods may be challenging. It may require in particular 
to prove cut elimination for an extended notion of proof that combines 
deductions and computations. This suggests new interactions between 
automated theorem proving and proof theory. 



When we search for a proof of the proposition 2 + 2 = 4, we can use the axioms 
of addition and equality to transform this proposition into 4 = 4 and conclude 
with the rcflexivity axiom. We could also use these axioms to transform this 
proposition into 2 + 2 = 2 + 2 and conclude, but this proof is redundant with the 
first, that is in many ways better. Indeed, the axioms of addition are better used 
in one direction only: to compute values. In automated proof search systems, 
we often suppress axioms, such as the axioms of addition, and replace them by 
rewrite rules. This permits to cut off search space while keeping completeness. 

The rules of addition apply to terms, but rules applying to propositions may 
also be considered. For instance, the axiom 

Very ((# x y) = 0 <+> (x = 0 V y = 0)) 
can be replaced by the rule 

iXf/ = 0-ii = 0Vj/=0 

that rewrites an atomic proposition into a disjunction. Such rules are of special 
interest in set theory, e.g. 

x € {y, z}->i = yVa: = z 
and in type theory [1,2], e.g. 

e(ax+y) -+ e(x) =+ e(y) 

When we orient an axiom, we want to cut off search space, but we do not want 
to loose completeness. In this note, we discuss the properties that the rewrite 
system must fulfill, so that orientation does not jeopardize completeness. 
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1 Orientation 

1.1 From Replacement to Rewriting 

We consider a set A and a binary relation — > defined on A. We write — >* for its 
reflexive-transitive closure and = for its reflexive-symmetrical-transitive closure. 

If t and t' are two elements of A , we have t = t' if and only if there is 
a sequence of terms such that t = t±, t' = t n and for each i, either 

ti — t ti + 1 or ti <— ti + 1 - 

For instance, if A is a set of terms built with a binary operator + and a finite 
number of constants and — > is the relation such that t — > u if and only if u is 
obtained from t by replacing a subterm of the form {x + y) + z by x + (y + z). 
We can establish that 

(n + (b + c)) + (d + e) = (a + b) + ((c + d) + e) 
with the sequence 

((ci + b) + c) + (d + e) 




(a + b) + (c + (d + e)) 



To establish that t = t' , we search for such a sequence. We can apply the 
following replacement method: we start with the equality t = t' and we derive 
more equalities with two rules. The first permits to derive v = v' from u = v! 
if u = u! v = v' and the second permits to derive v = v' from u = u! if 
u = u! i— v = v' . When reach an equality of the form u = u, we are done. 

Search is more efficient if we restrict to rewriting sequences, i.e. sequences of 
the form 

t — t\ — y ... — y t n — ui ^ — ••• ^ — Up — t 

For instance 

(a + (b + c)) + (d + e) (a + 6) + ((c + d) + e) 




a + ((6 + c) + (d + e)) (a + b) + (c + (d + e)) 




a + (b + (c + (d + e))) 
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Indeed, to establish that t = t' , we can restrict the replacement method, to 
the first rule and rewrite the equality t = t' to an equality of the form u = u. 

Such a restriction may be incomplete. Consider, for instance, the relation 
defined by p — >’ q and p — >' r. We have q p — P r but there is no rewriting 
sequence relating q to r and the equality q = r cannot be rewritten. 

A relation is said to be confluent if whenever t — >* t\ and t — >* there is a 

object u such that t\ — >* u and t -2 — >* u. 

For instance, the relation — » above is confluent, but the relation is not. 
It is easy to prove that when a relation is confluent, two objects are related if 
and only if they are related by a rewriting sequence and thus that rewriting is a 
complete search method. 



1.2 From Paramodulation to Narrowing 

Let us now turn to proof search in predicate calculus with equality. We assume 
that we have an equality predicate and the associated axioms. Paramodulation 
[12] is an extension of resolution that allows to replace equals by equals in clauses. 

For instance, if we want to refute the clauses 

(X + Y) + Z = X + (Y + Z) 

P({a + (b + c) ) + (d + e)) 

^-P((a + b) + ((c + d) + e)) 

we use the associativity to rearrange brackets in the other clauses until we can 
resolve them. 

Exactly as above, we can restrict the method and use of some equalities in 
one direction only. We suppress these equalities from the set of clauses to refute, 
we orient them as rewrite rules and we use them with a narrowing (or oriented 
paramodulation ) rule that permits to unify a subterm of a clause with the left- 
hand side of a rewrite rule, and replace the instantiated subterm with the right- 
hand side of this rule (see, for instance, [10,8]). Notice that since clauses may 
contain variables, we need to use unification (and not matching as in rewriting). 

The completeness of this method mostly rests on confluence of the rewrite 
system 1 : instead of using the rewrite rules in both directions to unfold and fold 
terms, we can use them in one direction only and meet on a common reduct. 



1.3 Equational Resolution 

Equational resolution [11,13] is another proof search method for predicate calcu- 
lus with equality. In this method, like in narrowing, we suppress some equalities 
from the set of clauses to refute and we orient them as rewrite rules. We write 

1 Actually, although confluence plays the major role in completeness proofs, termina- 
tion also is used. Whether or not completeness fails for non terminating systems in 
unknown to the author. 
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t — > if if t' is obtained by rewriting a subterm in t. We write — >* for the reflexive- 
transitive closure of this relation and = for its reflexive-symmetrical-transitive 
closure. 

Morally, we identify equivalent propositions and we work on equivalence clas- 
ses. Hence, we use an extended resolution rules where unification is replaced by 
equational unification [4,7]: a unifier of two-terms t and u is a substitution a such 
that at = au (and not at = au). For instance the terms (a + (6 + c)) + (d + e) 
and (a + b) + ((c + d) + e) are trivially unifiable because they are equivalent and 
hence with the clauses 



P((u + {b + c)) + (d + e)) 

- >P((a + 6) + ((c + d) + e)) 

we can apply the resolution rule and get the empty clause. 

To solve equational unification problems, we can use narrowing. But, in con- 
trast with the previous method, the narrowing rule is applied to the unification 
problems and not to the clauses. 



2 Completeness 

We focus now on the completeness of equational resolution. We first recall a 
completeness proof of resolution and then discuss how it can be adapted. 



2.1 Completeness of Resolution 

Cut elimination A way to prove completeness of resolution is to prove that 
whenever a sequent Ai,...,A p b B ±, ..., B q has a proof in sequent calculus (see, 
for instance, [5, 6]), the empty clause can be derived from the clausal form of the 
propositions A\ , . . . , A p , — B q . 

Usually this proof proceeds in two steps: we first prove that if a sequent 
r b A has a proof, then it has also a proof that does not use the cut rule of 
sequent calculus (cut elimination theorem). Then we prove, by induction over 
proof structure, that if F b A has a cut free proof, then the empty clause can 
be derived from clausal form d(P, -> A) of the propositions F, A. 

A variant A variant of this proof isolates the clausification step. A first lemma 
proves that if the sequent P b A has a proof and d{T, -> A) = {Pi, ..., P n }, then 
the sequent VPi...VP n b also has a proof, where VP is the universal closure of 
the proposition P. 

Then, by the cut elimination theorem, if the sequent VPi...VP„ b has a proof, 
it has also a cut free proof. At last, we prove by induction over proof structure 
that if VPi...VP„ b has a cut free proof then the empty clause can be derived 
from {Pi,...,P„} = cl(r,->A). 
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Herbrand theorem Instead of using the cut elimination theorem some authors 
prefer to use Herbrand theorem that is a variant of it. 

According to Herbrand theorem, if Pi, ...,P„ are quantifier free propositions 
then the sequent VPi...VP„ b has a proof if and only if there are instances 
<r\P\, ..., 0*. Pi, ..., er”P n , crj!! P„ of the propositions Pi,...,P n such that 
the quantifier free proposition ->{<j\Pi A ... A cr^Pi A ... A cr"P„ A ... A cr^P„) is 
tautologous. 

As above, a first lemma proves that if the sequent P b A has a proof and 
cl(r, — izA) = {P 1; ..., P„}, then the sequent VPi...VP„ b also has a proof. By Her- 
brand theorem, if the sequent VPi...VP„ b has a proof, then there are instances 
<t\Pi, ..., <T^ Pi, ..., cr^Pn, ..., &k n Pn of the propositions Pi, ...,P„ such that the 
quantifier free proposition =(<7iPi A ... A <r£ Pi A ... A cr" P n A ... A crj? P„) is tau- 
tologous. At last, we prove that if the proposition ->{(t\P\ A ... A oy ;| P\ A ... A 
cr”P„ A ... A crjf P„) is tautologous then the empty clause can be derived from 
{Pi, Pn} = cl(r, -I A). 



2.2 Completeness of Equational Resolution 

This proof can be adapted to equational resolution. First, the identification of 
equivalent propositions used in proof search can be used in sequent calculus also. 
This leads to the sequent calculus modulo [1]. For instance, the axiom rule 



Ah A 



axiom 



is transformed into the rule 



Ah= B 

and the left rule of disjunction 

r Ah A r Bh a 
P AV Bh A 



axiom if A = B 



V-left 



is transformed into the rule 

r A h= A r Bh= a 
r ch= a 



V-left if C = A V B 



In sequent calculus modulo the rules of addition and multiplication, we have a 
very short proof that the number 4 is even 



4 = 4 b= 4 = 2x2 
Vx (a: = x) b= 4 = 2 x 2 



axiom 



V-left 



Vx (x = x) b= 3y (4 = 2 x y) 



3-right 



while proving this proposition would be much more cumbersome in sequent 
calculus with the axioms of addition and multiplication. 
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Using sequent calculus modulo, we can prove the completeness of equational 
resolution. First, we prove the equivalence lemma : if the rewrite system encodes 
a theory T then the sequent FT h A has a proof in sequent calculus if and 
only if the sequent r h= A has a proof in sequent calculus modulo. Then, the 
cut elimination theorem extends trivially to sequent calculus modulo when the 
equivalence is generated by rewrite rules applying to terms. At last, we prove by 
induction over proof structure, that if F h= A has a cut free proof in sequent 
calculus modulo, then the empty clause can be derived from cl(r,-<A) with 
the rules of equational resolution. The confluence of the rewrite system is only 
needed to prove that narrowing is a complete equational unification method. 

2.3 Equational Resolution as Narrowing 

Equational resolution can be seen as a formulation of narrowing. This suggests 
another completeness proof, reducing the completeness of equational resolution 
to that of narrowing. 

Indeed, instead of resolving two clauses and narrowing the unification pro- 
blem, as we do in equational unification, we could first narrow the clauses and 
apply the usual resolution rule to get the same result. 

For instance, instead of resolving 

P((a + (b + c)) + (d + e)) 

- >-P((a + b) + ((c + d) + e)) 
and narrowing the unification problem 

(a + (6 + c)) + (d + e) = (a + b) + ((c + d) + e) 

we could take an option on these two clauses, and narrow them until they can 
be resolved. 

So, narrowing a unification problem is just a way to narrow the clauses it 
comes from. Hence, equational resolution can be seen as a formulation of narro- 
wing and thus as an implementation of paramodulation with the restriction that 
some equations should be used in one direction only. Hence, the completeness of 
equational resolution rests on confluence. 

3 Rewriting Proposition 

So far, we have considered methods where axioms are replaced by rewrite rules 
applying to terms. We have seen that the proof search methods obtained this 
way could be seen as restrictions of paramodulation and that their completeness 
rested on confluence. We consider now more powerful rewrite rules applying to 
propositions. For instance, the axiom 



Mxy (x x y = 0 <t=> (x = 0 V y = 0)) 
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can be replaced by the rule 



ixj/ = 0->i = 0Vi/ = 0 



that applies directly to propositions. For technical reasons, we restrict to rules, 
such as this one, whose left-hand side is an atomic proposition. 

For example, with this rule, we can prove the proposition 

3z (a x a = z => a = z) 



in sequent calculus modulo 



= 0 h= a = 0 



axiom 



= 0 b= a = 0 



axa = 0h=o = 0 
b=axa = 0=t-a = 0 
b= 3z (a xa = z=>a = z) 



bright 

3-right 



axiom 

V-left 



3.1 Resolution Modulo 

In this case, equational resolution can be extended to resolution modulo [1]. In 
resolution modulo, like in equational resolution, the rewrite rules applying to 
terms are used to narrow unification problems, but, like in narrowing, the rules 
applying to propositions are used to narrow the clauses directly. 

For instance, if we take the clausal form of the negation of the proposition 

3z (a x a = z => a = z) 



i.e. the clauses 

a x a = Z 
~>a = Z 

we can narrow the first clause with the rule 



x x y = 0 — > x = OV y = 0 

yielding the clause 

a = 0 

Then, we resolve this clause with ~^a—Z and get the empty clause. 

3.2 Resolution with Axioms 

An alternative is to keep the axiom 

\/xy (x x y = 0 <t=> (x = 0 V y = 0)) 
and to use resolution. In this case, we have to refute the clauses 



,X x Y = 0,X = 0,Y = 0 
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X xY = 0, ->X = 0 
X xY = 0,^Y = 0 
a x a = Z 
~<a = Z 

We resolve the clause a x a = Z with the clause ~>X xY = 0, A = 0, U = 0 
yielding the clause a = 0. Then, we resolve this clause with ->a = Z and get the 
empty clause. 

An above, resolution modulo can be seen as a restriction of resolution, where 
some clauses can be used in one direction only. As above we could think that 
resolution modulo is complete as soon as the rewrite system is confluent. Unfor- 
tunately this is not the case. 

3.3 A Counter Example to Completeness 

The axiom 

A <£=> ( B A - A) 

can be transformed into a rewrite rule (Crabbe’s rule) 

A — > B A — i A 

Resolution modulo cannot prove the proposition ->B, because from the clause 
B , neither the resolution rule nor the narrowing rule can be applied. 

But, surprisingly, with the axiom A {BA~>A), we can prove the proposition 
-iB. Indeed, the clausal form of the proposition A => (B A~>A) yields the clauses 

- 1 A, B —i A 

the clausal form of the proposition ( B A -> A) =$■ A yields 

A , — i B 

and the clausal form of the negation of the proposition ->B yields 

B 

From B and A, -> B, we derive A and then from this clause and -i A we get the 
empty clause. Hence, a resolution proof with axioms cannot always be trans- 
formed into a resolution modulo proof. Resolution modulo cannot be seen as a 
restriction of resolution where some clauses can be used in one direction only 
and completeness may be lost even if the rewrite system is confluent. 

Notice that, in the resolution proof, clauses coming from both propositions 
A => (B A -i A) and ( B A -> A) => A are used. Hence, although the rewrite system 
is confluent, we need both to unfold A to B A —>A and to fold B A —>A to A. 
Moreover, when we resolve B with -<B, A we fold B A —>A to A although we have 
proved the proposition B, but not the proposition -i A yet. This partial folding 
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that resolution allows but resolution modulo disallows is the reason why some 
resolution proofs cannot be transformed into resolution modulo proofs. 

Hence, orientation cuts off search space more dramatically when we have 
rules rewriting propositions that when we have only rules rewriting terms. It 
can cut off search space so dramatically that completeness may be lost. 



3.4 Completeness of Resolution Modulo 



Since resolution can prove the proposition —>B with the axiom A <=> (B A ~>A), 

the sequent A <=> (B A -M) I B can be proved in sequent calculus and hence 

the sequent I — B can be proved in sequent calculus modulo. For instance, it has 
the proof 






B , —i A, A, B b 



weak. + ax. 
-•-left 



B b B 



axiom 



A,A,B b 
A,B\- 
B I — • A 



A-left 



B b A 



contraction-left 

-•-right 

A-riglrt 



B h 
I — • B 



B,A,B\- A 



B, -iA, A,B\- 



weak. + ax. 
-•-left 






■ A-left 



A,B b 



contraction-left 

cut 



i-right 



The proposition —>B has a proof in sequent calculus modulo but not in resolution 
modulo and thus resolution modulo is incomplete. 

The completeness theorem of resolution modulo does not prove that each 
time a proposition has a proof in sequent calculus modulo, it has a proof in 
resolution modulo (because this is false), but it proves, using techniques similar 
to those developed in section 2.1 and 2.2, that if a proposition has a cut free 
proof in sequent calculus modulo, it has a proof in resolution modulo. 

The proposition ->B has proof in sequent calculus modulo, but no cut free 
proof and sequent calculus modulo the rule A ^ B A ~>A does not have the cut 
elimination property. 

Modulo some rewrite systems such as 



a;xj/ = 0->a:=0V|/ = 0 



or 

A^B/\A 

sequent calculus modulo has the cut elimination property and thus resolution 
modulo is complete. Hence modulo these rewrite systems there is no occurrence 
of the phenomenon we have observed above, where a resolution proof could not 
be transformed into a resolution modulo proof because it used partial folding. 
Still the translation of resolution proofs to resolutions modulo proofs is non 
trivial because it involves cut elimination. 

In [3] we present cut elimination proofs for large classes of rewrite systems 
(including various presentations of type theory, all confluent and terminating 
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quantifier free rewrite systems, ...) and we conjecture that cut elimination holds 
for all terminating and confluent rewrite system, although we know that such a 
conjecture cannot be proved in type theory or in large fragments of set theory be- 
cause it implies their consistency. Cut elimination also holds for sequent calculus 
modulo some non terminating rewrite systems such as 

Notice that when resolution modulo is complete (for instance for type theory) , 
this completeness result cannot be proved in the theory itself (because it implies 
its consistency), while confluence usually can. So, it is not surprising that tools 
more powerful than confluence, such as cut elimination, are required. 



3.5 Towards a New Kind of Completion 

Completion [9] transforms a rewrite system into a confluent one. We can imagine 
a similar process that transforms a rewrite system into one modulo which sequent 
calculus has the cut elimination property. 

For instance, the rule A ^ B A —>A is equivalent to the axiom A*=> (B A ->A) 
whose clausal form is 

A , —>B B , —iA *-i A 

like that of the axioms A <£=> _L and B <£=> A that are equivalent to the rewrite 
system A — > _L, B — >■ A modulo which sequent calculus has the cut elimination 
property and resolution is complete. 

So we could imagine to transform the rewrite system 

A — > ( B A —>A) 



into 

A— > _L 
B -a A 



or even into 

ylAi 
B —> ± 



in order to recover completeness. 

Acknowledgements . Thanks to Tlr. Hardin, C. Kirclmer, Ch. Lynch and B. Wer- 
ner for many helpful discussions on this subject. 
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Abstract. In this paper we present a framework for the combination of 
modal and temporal logic. This framework allows us to combine diffe- 
rent normal forms, in particular, a separated normal form for temporal 
logic and a first-order clausal form for modal logics. The calculus of the 
framework consists of temporal resolution rules and standard first-order 
resolution rules. 

We show that the calculus provides a sound, complete, and termina- 
ting inference systems for arbitrary combinations of subsystems of multi- 
modal S5 with linear, temporal logic. 



1 Introduction 

For a number of years, temporal and modal logics have been applied outside pure 
logic in areas such as formal methods, theoretical computer science and artificial 
intelligence. A variety of sophisticated methods for reasoning with these logics 
have been developed, and in many cases applied to real-world problems. 

With the advent of more complex applications, a combination of modal and 
temporal logics is increasingly required, particularly in areas such as security in 
distributed systems (Halpern 11), specifying multi-agent system (Jennings 14; 
Wooldridge and Jennings 20), temporal databases (Finger 7), and accident ana- 
lysis (Johnson 15). Further motivation for the importance of combinations of 
modal logics can be found in (Blackburn and de Rijke 3). 

In all these cases, combinations of multi-modal and temporal logics are used 
to capture the detailed behaviour of the application domain. While many of 
the basic properties of such combinations are well understood (Baader and Olrl- 
bach 1; Fagin et al. 6; Gabbay 8; Wolter 18), very little work has been carried out 
on proof methods for such logics. Wooldridge, Dixon, and Fisher (19) present 
a tableaux-based calculus for the combination of discrete linear temporal logic 
with the modal logics KD45 (characterising belief) and S5 (characterising kno- 
wledge). Dixon, Fisher, and Wooldridge (5) present a resolution-based calculus 
for the combination of discrete linear temporal logic with the modal logic S5. A 
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combination of calendar logic for specifying everyday temporal notions with a 
variety of other modal logics has been considered in (Ohlbach 16; Ohlbaclr and 
Gabbay 17). 

Our aim in this paper is to present an approach that is general enough to 
capture a wide range of combinations of temporal and modal logics, but still 
provides viable means for effective theorem proving. The following aspects of 
our approach are novel: 

— The approach covers the combination of discrete, linear, temporal logic with 
extensions of multi-modal K m by any combination of the axiom schemata 
4, 5, B, D, and T. This extends the results presented in (Dixon et al. 5; 
Wooldridge et al. 19). 

— Instead of combining two calculi operating according to the same underlying 
principles, like for example two tableaux-based calculi, we combine two dif- 
ferent approaches to theorem-proving in modal and temporal logics, namely 
the translation approach for modal logics (using first-order resolution) and 
the SNF approach for temporal logics (using modal resolution). 

— The particular translation we use has only recently been proposed by de Ni- 
velle (4) and can be seen as a special case of the T-encoding introduced by 
Ohlbach (16). It allows for conceptually simple decision procedures for ex- 
tensions of K4 by ordered resolution without any reliance on loop checking 
or similar techniques. 



2 Combinations of Temporal and Modal Logics 

In this section, we give the syntax and semantics of a class of combinations of a 
discrete linear temporal logic with normal multi-modal logics. 

Syntax 

Let P be a set of propositional variables, A a set of agents, and M a set of 
modalities. Then the tuple £ = (P, A, M) is a signature of MTL. If to £ M and 
a € A, then the ordered pair (?n, a) is a modal parameter. The set of well-formed 
formulae of MTL over a signature £ is inductively defined as follows: (i) true 
and false are formulae, (ii) every propositional variable is a formula, (iii) if tp 
and if are formulae, then ~^p, p V ip, p A if, p => ip, and p> if are formulae, 

(iv) if tp and if are formulae, then Q)p, Op, ^p, pUif, and pWif are formulae, 

(v) if tp is a formula, k is a modal parameter, then [re] tp is a formula. 

We also use true and false to denote the empty conjunction and disjunction, 
respectively. A literal is either p or -> p where p is a propositional variable. A 
modal literal is either [ac] L or -i [k] L where n is a modal parameter and L is a 
literal. For any (modal) literal L we denote by ~L the negation normal form of 
—tL. 

With each modal parameter we can associate a set of axiom schemata defining 
its properties. We assume that the axiom schemata K and Nec hold for every 
modal operator. In this paper we allow in addition any combination of the axiom 
schemata 4, 5, B, D, and T. 
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Semantics 

Let S be a set of states. A timeline is an infinite, linear, discrete sequence of states 
indexed by the natural numbers. A point is an ordered pair (t, k) where t is a 
timeline and k is a natural number, a so-called temporal index. V denotes the set 
of all points. A valuation i is a mapping from V to a subset of P. An interpretation 
Ai is a tuple (T,to,lZ,i) where T is a set of timelines with a distinguished 
timeline to G T, TZ is a collection of binary relations on V containing for every 
modal parameter k a relation R K , and l is a valuation. 

We define a binary relation |= between a formula p and a pair Ai and (t, k) 
where Ai is an interpretation and (t, k) is a point as follows. 
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If Ai , w |= p then we say p is true or holds at w in Ai . An interpretation Ai 
satisfies a formula <p iff p holds at (fo,0) and it satisfies a set N of formula iff 
for every formula ip £ N, Ai satisfies ip. In this case Ai is a model for <p and N, 
respectively. 

Let A4 be an interpretation and let T be a relation on points such that 
(( t , k), (■ t ' , k') £ T iff t = t' and k! = k+ 1. Let v, w be points in A4. Then w is 
reachable from v iff (v,w) £ (TUlJ K i? K )*. An interpretation Ai such that every 
point in Ai is reachable from (t 0 ,0) is a connected interpretation. 

Note that the semantics of MTL is a notational variation of the standard 
(Kripke) semantics of a multi-modal logics with points corresponding to worlds. 
For every modal parameter k we have a relation R K on worlds. In addition, there 
is a temporal relation relation T on worlds defined as the union of a family of 
disjoint, discrete, linear orders on the set of worlds. The semantics of Qip is 
given in terms of T while the semantics of the remaining temporal operators 
is given in terms of the reflexive, transitive closure T* of T. In case we have 
associated additional axiom schemata to a modal operator [k], the relation f? K 
has to satisfy the well-known corresponding properties, that is, transitivity for 
4, euclideanness for 5, symmetry for B, seriality for D, and rcflexivity for T. 
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3 A Normal Form for MTL Formulae 



Dixon et al. (5) have shown that every well-formed formulae of MTL can be 
transformed to a set of SNFk clauses in a satisfiability equivalence preserving 
way. The use of SNF K clauses eases the presentation of a resolution calculus for 
MTL as well as the soundness, completeness and termination proof. 

The transformation 77 k to SNFa: clauses uses a renaming technique where 
particular subformulae are replaced by new propositions. To ease the presenta- 
tion of SNF ^ clauses we use the universal modality □* as an auxiliary modal 
operator. The modal operator □* has the following important property. 

Theorem 1 (Goranko and Passy 10). Let Ad be an interpretation, letv, w 
be points in Ad, and let p be a formula such that Ad,v \= U*p. Then Ad, w \= p 
iff w is reachable from v. 

In connected interpretations also the following stronger result holds. 

Theorem 2. Let A 4 be a connected interpretation and p be a well-formed for- 
mula of MTL. Then A7, (to, 0) \= U*p iff Ai, w |= p for every point w in AA. 

SNF a: clauses have the following form 



(initial clause) 
(global clause) 
(sometime clause) 
(literal clause) 
(modal clause) 



start => V"= i ^ 

□*(A7=i^O(VILi^)) 

□*(A7=1 K i =► OL) 

□ *(true => \/r=i Li) 

□ *(true => Li V Mf) 



where Kj, Li, and L (with 1 < j < m and 1 < i < ri) are literals and Mi is a 
modal literal. 

We only present the part of 77 a dealing with formulae of the form Up and 
pWif which is important for the understanding of the temporal resolution rule 
and the example derivation presented later. For a complete description of 77 k 
see Dixon et al. (5). 



{A => Up} 



{ A => pWip} 



A => B ] 

B^OB) 

B => p ) 

! A => p\/ ip 
A => BVip 
B => 0(p Vip) 



if p is a literal and B is new 



if p and ip are literals and B is new 



Theorem 3 (Dixon et al. 5). Let p be a formula o/MTL. Then p is satisfia- 
ble if and only if LI k(p) is satisfiable in a connected interpretation. 
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4 Translation of SNF^ Clauses into SNF r Clauses 



In the approach of Dixon et al. (5) the calculus for MTL consists of a set of 
special resolution inference rules for SNF# clauses. Broadly, these rules can be 
divided into two classes: those dealing with SNF# clauses containing temporal 
operators and those dealing with SNF# clauses containing modal operators. 
Inference rules in the later class also take care that the calculus is complete if 
we have associated the axiom schemata of S5 with all modal operators. 

Instead of using additional resolution rules for modal literals we use the trans- 
lation approach to modal theorem proving. That is, we translate occurrences of 
modal literals into first-order logic, in particular, we do so in a way that preserves 
satisfiability and makes the use of first-order resolution possible. However, the 
temporal connectives are not translated and we will include additional inference 
rules for them in our calculus. Intuitively, the proposed translation makes the 
underlying relations R K on points explicit as well as the quantificational effect 
of the modal operator [k] explicit in our language, but still leaves the relations 
and quantificational effect of the temporal operators implicit. 

The translation function n r on literals, and conjunctions and disjunctions of 
literals is defined as follows. 



7r r (true, x) = true 
7r r (false, x) = false 

n r (p,x) = q p (x) 

7r r( _, P) X) = ~>q p (x) 
lT r (ip -kl/j,x) = 7 X) * 7 T r (ljj, X) 



7 T r (0(p,x) = <>ir r (tp,x) 

7Tr(C> <P,X) = O r(<P,x) 

7Tr(M L, x) = My (~>r K (x, y) V tt r (L, y)) 

TTr ( 1 [k] L , x) = r K ( x, f(x)) A 7 T r (~L, f(x)) 
for * € {A, V, =>•} 



p is a propositional variable, q p is a unary predicate symbol uniquely associated 
with p, L is a literal, and / is a Skolem function uniquely associated with an 
occurrence of [k] L. In addition, following de Nivelle (4) the mapping r r on modal 
literals is defined by 



tv([«] L, x) = L (x) T r (— ' [k] L, x) = -i q[ K \ L (x ) 

where l is a new predicate symbol uniquely associated with [k] L. 
The translation II r on SNF ^ clauses is defined in the following way: 



{7T r (true => V"=i i*. now)} 



I7 r (start => \/r=i Li) = 

^(□*(A7=iA^O(VLi^))) = 
LIr{^* U\j — \ Lj => OL)) = 
I7 r .(D*(true => Vr=i Li)) = 

iT r (n*(true=> Li VMi)) = 



{VxttAA^i Kj => 0(V"=i L i),x)} 
{Vx7T r (AjLi Kj => OL,x)} 

{Mx 7r r (true => \/i =1 Li,x)} 

(\/x (true =>■ Tr r (Lj,x) VT r (Mi,x)) 1 
(Va: (true => ~r r (Mi, x) V n r (Mi,x)) J 



The translation of a set N of SNF k clauses is given by 



n r (N) = |J n r (C). 

GeN 
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Table 1 . Translation of axiom schemata 



4 


Transitivity 


V*, y (true =^> ->q[ K]L (x) V r K (x,y ) V q [K]L (y)) 


5 


Euclideanness 


Vs, y (true =>■ -ig M L (y) V ->r K (x, y) V q M L (x)) 


B 


Symmetry 


Vs, y (true =4> -ig M L (y) V ->r«(s, y) V n r (L, s)) 


D 


Seriality 


Vs (true =>■ r K (x,f(x))) 


T 


Rcflexivity 


Vs (true => r K (x, s)) 



The formulae obtained by applying 7T r to SNF^ clauses will be called SNF r 
clauses. The target language of II r can be viewed as a fragment of first-order 
logic allowing only unary and binary predicate symbols extended by the the 
temporal operators O and O or as a fragment of first-order temporal logic with 
the same restriction on predicate symbols and temporal operators. However, the 
semantics of the target language does not coincide with either of these as we will 
see below. In Section 5 we present a syntactic characterisation of the class of 
SNF r clauses. The universal quantifiers in a SNF r clause are usually omitted in 
our presentation. Any free variable in a SNF r clause is assumed to be implicitly 
universally quantified. 

Again, following de Nivelle (4), depending on the additional properties of a 
modal operator [k] SNF r clauses from Table 1 are added to the set of SNF r 
clauses for every predicate symbol j_, introduced by JJ r . The semantics of 
SNF r clauses is given by temporal interpretations. A temporal interpretation is 
a tuple (M r , X) where M r is a tuple (T, fo,0 such that T is a set of timelines 
with a distinguished timeline to G 7”, ( is a morphism mapping ?t-ary predicate 
symbols to n-ary relations on V , and I is a interpretation function mapping 
the constant now to (f o ,0), every variable symbol x to an element of V, and 
every unary Skolem function / to a morphism 1(f) : V — > V . The function X 
is extended to a function - x mapping terms to V in the standard way, that is, 
t 1 = X(t) if t is a variable or constant, and f(t±, . . . ,t n ) x = X(f)(t x , . . . ,t x ), 
otherwise. 

Let X be an interpretation function. By X[x/w\, where £ is a variable and w 
is a point, we denote a interpretation function X' such that X'(y) = X(y) for any 
symbol y distinct from x, and X'(x) = w. \ix\, ... ,x n are distinct variables and 
Wi, . . . , w n are points, then X[x\/w \, . . . , x n /w n } denotes X[xi/w\] . . . [ x n /w n ]. 
If w = ( t,k ) is a point and n G N, then w +n denotes the point (t, k + n). If 
/ is a mapping from points to points, then f +n denotes a function defined by 
f +n (w) = f(w) +n for every w G V, that is, for every w G V, if f(w ) = (t,k), 
then f +n (w) = ( t,k + n). By X +n we denote a interpretation function defined 
by X +n (s) = X(s) +n for every symbol s in the domain of X. 

(M ri X) [= true 
(M ri X) false 

(Mr-,1) \=p(t!,... ,t n ) iff Oi,... ,t X n ) G i(p) 

( M r ,X ) |= -1 If iff (M r ,X) Y= if 

(M r ,X) \= Aip iff (M r ,X) \= tp and (M r ,X) [= if 
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If (Ai r ,X) |= p, then (Ai r ,X) satisfies p and ip is satisfiable. Although the 
syntax of SNF r clauses resembles that of first-order temporal logic, the semantics 
is different. Unlike in first-order temporal logic variables are not interpreted as 
elements of domains attached to points, but are interpreted as points. Likewise 
constants and function symbols are not interpreted as morphisms on domains 
but as morphisms on points. In fact, the semantics is still based on the same 
building blocks: timelines, points, relations on points and mappings between 
points and symbols of our language (or vice versa) . 

However, note that for formulae not containing any occurrences of a O and ^ 
operators, temporal interpretations act like standard first-order interpretations. 



Theorem 4. Let N be a set of SNF A clauses. Then N is satisfiable if and only 
if Il r (N) is satisfiable. 

Proof. For an arbitrary connected model At for N we are able to construct a 
temporal interpretation (Ai r ,X) for n r (N ) and vice versa. The proof that At 
and (Ai r , I) satisfy N and II r (N), respectively, proceeds by induction on the 
structure of formula in N and n r (N). 



5 A Calculus for MTL 

We call a literal L shallow if all its argument terms are either variables or 
constants, otherwise it is deep. If C is a disjunction or conjunction of shallow, 
unary literals, then by C[x] we indicate that all literals in C have a common 
variable argument term x, and C[x/y\ is obtained by replacing every occurrence 
of x in C by y. Similarly, if L is a monadic literal, we write L[t] to indicate that 
the term t is the argument of L. 

A clause is a formula of the form P => ip where P is a conjunction of literals 
and p is a disjunction of literals, a formula of the form OL, or a formula (f)C 
where C is disjunction of literals. The empty clause is false or true => false. We 
regard the logical connectives A and V in clauses to be associative, commutative, 
and idempotent. Equality of clauses is taken to be equality modulo variable 
renaming. 

A clause C is a simple clause if and only if all literals in C are shallow, unary, 
and share the same argument term. A conjunction (disjunction) C is a simple 
conjunction (disjunction) iff C is a conjunction (disjunction) of shallow, unary 
literals that share the same argument term. ~P denotes the negation normal 
form of a conjunction P. 
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A clause C is a temporal clause if and only if it either has the form P[t] =>■ 
Q)D[t] or P[x\ => OL[.t] where P[x] is a simple conjunction, D[t] is a simple 
clause and t is either a variable or the constant now. A clause C is a modal 
clause iff it either has the form P[x ] => r K (x, f(x)), P[x ] => D[f(x)], or P[x] => 
->r K (a;, y) \J D[y] where P is a simple conjunction and D{f(x)\ is a clause of unary, 
deep literals with common argument f(x). For a simple or modal clause C we 
do not distinguish between P => D and true => ~P V D. 

For every ground atom A, let the complexity measure c(A) be the multiset 
of arguments of A. We compare complexity measures by the multiset extension 
of the strict subterm ordering. The ordering is lifted from ground to non- 
ground expressions as follows: A y' B if and only if c(Aa) y m c(Ba), for all 
ground instances Aa and Ba of atoms A and B. The ordering y' on atoms can be 
lifted to literals by associating with every positive literal A the multiset {A} and 
with every negative literal ~<A the multiset { A , A}, and comparing these by the 
multiset extension of y' . We denote the resulting ordering by >-. The ordering >- 
is an admissible ordering in the sense of Baclnnair and Ganzinger (2) . Thus, the 
following two inference rules provide a sound and complete calculus for first-order 
logic in clausal form: 

true => C V A true =>■ D V ~^B 
true => (CV D)a 

where (i) CV A and are simple or modal clauses, (ii) a is the most general 

unifier of A and B , (iii) Aa is strictly > — maximal with respect to Ccr, and (iv) 
-> Ba is > — maximal with respect to Da. As usual we assume that premises of 
resolution inference steps are variable disjoint. 

p true =» C V Li V £ 2 

true => (C V Li)a 



where (i) C V L\ V L 2 is a simple or modal clause, (ii) cr is the most general 
unifier of L\ and L 2 , and (iii) L\a is > — maximal with respect to Ca. 

Lemma 10 will show that the factoring inference rule is not required for 
the completeness of our calculus if we assume that the logical connective V is 
idempotent. 

The remaining inference rules are similar to those of the calculus for linear 
temporal logic presented in Dixon et al. (5). An inference by step resolution 
takes one of the following forms 



SResl 



P^O(CVLi) Q => Q(D V L 2 ) 
(P A Q)a => Q(C V D)a 



SRes2 



true =tCVLi Q => Q){D V P 2 ) 
Qa => 0(C V D)a 



SRes3 



P => Qfalse 
true ~P 



where (i) P and Q are simple conjunctions, (ii) C V L\ and D V L 2 are simple 
clauses, and (iii) a is the most general unifier of L\ and ~L 2 . 
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The following merge rule allows the formation of the conjunction of temporal 
clauses. 

Po[xo] => OCoM 
Merge P n [x n \ =► O C n [x n \ 

KUm^OKUCAv] 

where (i) each Pi, 1 < i < n, is a simple conjunction, (ii) each Ci, 1 < i < n is 
a simple clause, (iii) y is a new variable. The conclusion of an inference step by 
the merge rule is a merged temporal clause. The only purpose of this rule is to 
ease the presentation of the following temporal resolution rule. 

An inference by temporal resolution takes the following form 

Polxo) O^ol^o] 

TReS Pn[x n \ => O Gn[x n \ 

My) 

My) => {l\'Lo^ p Av\)w L (y) 

where (i) each Pi[xi\ => (f)Gi[xi\, 1 < i < n, is a merged temporal clause, (ii) 
for all i, 0 < i < n, MxiGi[xi\ -l L\ X A an d V XiGi[xi ] => \/y=o p A x o/ x A are 
provable. 

The conclusion A(y) (/\ i=0 n ->Pi[y])WL(y) of an inference by temporal 
resolution has to be transformed into normal form. Thus, we obtain 

(1) true => ~>A(y) V L{y) V ~ p i(y) 

(2) true => ~>A(y) V L(y) V (y) 

(3) Ql(v) => 0(L(y) v ~ p i(y)) 

(4) qZ(v)=>0(mVQL(v)), 

where g™ is a new unary predicate symbol uniquely associated with L. 

The calculus Cmtl consists of the inference rules Res, Fac, SResl, SRes2, 
SRes3, Merge, and TRes. It is possible to replace Merge and TRes by a single 
inference rule which uses ordinary temporal clauses as premises and forms the 
merged clauses only in an intermediate step to compute the conclusion of an 
application of the temporal resolution rule. Thus, in our consideration in Sec- 
tion 6 and 7 we will not explicitly mention the Merge inference rule and merged 
temporal clauses. 

6 Soundness of Cmtl 

Lemma 5. Let true => C be a clause and let a be a substitution. If true => C is 
satisfiable, then true => C a is satisfiable. 

Theorem 6 (Soundness). Let tp be a well-formed formula of MTL. If a re- 
futation of n r (II K (ip)) in Cmtl exists then <p is unsatisfiable. 
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Proof. We show that for every instance of an inference rule of Cmtl that the 
satisfiability of the premises implies the satisfiability of the conclusion. In the 
case of Res and Fac this is straightforward since temporal interpretations act 
like first-order interpretations and we know that Res and Fac are sound with 
respect to first-order logic. The proof for the remaining inference rules can be 
found in (Hustadt et al. 12). 

7 Termination of Cmtl 

The termination proof for our calculus will take advantage of the following ob- 
servations. 

1. SNF r clauses can be divided into three disjoint classes: temporal clauses, 
modal clauses, and simple clauses. It is straightforward to check that if N 
is a set of SNF;f clauses then all clauses in II r (N ) including the clauses we 
add for one of the axiom schemata 4, 5, B, D, and T belong to exactly one 
of these classes. 

Note that simple and modal clauses are standard first-order clauses. 

2. The inference rules of our calculus can be divided into two classes: Res and 
Fac are the standard inference rules for ordered resolution and only modal 
clauses and simple clauses are premises in inference steps by these rules. The 
conclusion of such an inference step will again be a clause belonging to one 
of these two classes as we show in Lemma 9 and Lemma 10 below. 

SResl, SRes2, SRes3, and TRes are variants of the inference rules of the 
resolution calculus for linear temporal logic presented in Dixon et al. (5). 
Only temporal and simple clauses can be premises of inference steps by these 
rules. The conclusion of such an inference step will consist of clauses which 
again belong to one these classes as is shown in Lemma 11 and Lemma 12 
below. 

Thus, the clauses under consideration and the calculus enjoy a certain modula- 
rity. Interaction between the two classes of inference rules and the class of tem- 
poral and modal clauses are only possible via the class of simple clauses. Given 
a finite signature, the classes of simple, modal, and temporal clauses are finitely 
bounded. Termination of any derivation from SNF r is a direct consequence of 
the closure properties of the inference rules mentioned above. 

Lemma 7. Let ip be a well-formed formula o/MTL. Every clause in n r ( K IlK{ l py) 
is either a simple, a temporal, or a modal clause. 

Lemma 8. Given a finite signature £, the classes of simple, modal and temporal 
clauses over £ are finitely bounded. 

Proof. Note that the only terms which can occur in these clauses are either 
variables, the constant now, or terms of the from /(f) where t is either a variable 
or a constant. Furthermore, no clause has more than two variables. Given that 
we can show that the length of clauses is linear in the size of the signature, 
limiting the number of non- variant clauses to an exponential number in the size 
of the signature. 
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The proof shows that SNF r clauses have a linear length in the size of the signa- 
ture. That gives us a single-exponential space (and time) bound for our decision 
procedure. 

Due to side condition (i) of the inference rules Res and Fac, temporal clauses 
cannot be premises of inference steps by these rules. Simple clauses and modal 
clauses are special cases of DL-clauses (Hustadt and Schmidt 13). The following 
two lemmata follow directly from the corresponding result for DL-clauses. 

Lemma 9. Let C\ V A and C 2 V -<B be SNF r clauses and let C = (C\ V C 2 )c r 
be an ordered resolvent of these clauses. Then C is either a modal clause or a 
simple clause. 

Lemma 10. Let C\ = D\ V Li V L 2 be a SNF r clause and let C = (D\ V L\)a 
be a factor of C\. Then C is either a modal clause or a simple clause and 
an application of the factoring rule simply amounts to the removal of duplicate 
literals in C\. 

By a case analysis of all possible inference steps by SResl, SRes2, SRes3, and 
TRes on SNF r clauses we obtain the following two lemmata. 

Lemma 11. Let C\ and C 2 be SNF r clauses and let C be the conclusion of 
inference steps by SResl, SRes2, or S Res 3 from C\ and C 2 . Then C is a temporal 
clause or a simple clause. 

Lemma 12. Let C\, . . . , C n be SNF r clauses and let C be one of the clauses 
resulting from the transformation of the conclusion of an application of TRes to 
Ci, . . . , C n . Then C is a simple or a temporal clause. 

We are now in the position to state the main theorem of this section. 

Theorem 13 (Termination). Let p be a well-formed formula of MTL. Any 
derivation from LI r (IlK(p)) in Cmtl terminates. 

Proof. By induction on the length of the derivation from n r (LlK(p)) we can 
show that any clause occurring in the derivation is either a simple, modal, or 
temporal clause. Lemma 7 proves the base case that every clauses in LI r {LlK {p)) 
satisfies this property. Lemmata 9, 10, 11, and 12 establish the induction step 
of the proof. 

The signature of clauses in I7 r (I7ff (<£>)) is obviously finite. By Lemma 8 the 
classes of simple, modal, and temporal clauses based on a finite signature is 
finitely bounded. Thus, after a finitely bounded number of inference step we will 
have derived the empty clause or no new clauses will be added to the set of 
clauses. In both cases the derivation terminates. 

8 Completeness of Cmtl 

The proof of completeness proceeds as follows. We describe a canonical con- 
struction of a behaviour graph and reduced behaviour graph for a given set N 
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of SNF r clauses. In Theorem 14 we show that N is unsatisfiable if and only if 
its reduced behaviour graph is empty. Theorem 16 shows that if the reduced 
behaviour graph for N is empty, then we are able to derive a contradiction using 
Cmtl- Theorem 14 and 16 together imply that for any unsatisfiable set N of 
SNF r clauses we can derive a contradiction. Thus, Cmtl is complete. Details of 
the construction of behaviour graphs, reduced behaviour graphs, and the proof 
for the results of this section can be found in (Hustadt et al. 12). 

Theorem 14. Let N be a set of SNF r clauses. Then N is unsatisfiable if and 
only if its reduced behaviour graph is empty. 

Proof. The constructions are similar to those in Dixon et al. (5), except that we 
have explicit nodes and edges for the modal dimension for our logic, which were 
not necessary in the case that we have only the modal logic S5. 

Lemma 15. Let N be a set of SNF r clauses. If the unreduced behaviour graph 
for N is empty, then we can derive a contradiction from N using only the infe- 
rence rules Res, SResl, SRes2, and SRes3 of Cmtl- 

Proof. If the unreduced behaviour graph is empty, then any node we have con- 
structed originally, has been deleted because one of the simple, modal, or tem- 
poral clauses of the form P[x\ =4- Q C\x\ is not true at n s . Thus, we can use the 
inference rules Res, SResl, SRes2, and SRes3 to derive a contradiction. 

Theorem 16. Let N be a set of SNF r clauses. If the reduced behaviour graph 
for N is empty, then we can derive a contradiction from N by Cmtl- 

Proof. Let N be an unsatisfiable set of SNF r rules. The proof is by induction on 
the number of nodes in the behaviour graph of N. If the unreduced behaviour 
graph is empty, then by Lemma 15 we can obtain a refutation using the inference 
rules Res, SResl, SRes2, and SRes3. 

Suppose that the unreduced behaviour graph G is non-empty. By Theorem 14 
the reduced behaviour graph must be empty, so each node in G can be deleted 
by reduction rules similar to those in (Dixon et al. 5). The deletion of these 
nodes are shown to correspond to applications of step resolution and temporal 
resolution along the lines of Dixon et al. (5). 

The completeness theorem now follows from Theorems 3, 4, and 16. 

Theorem 17 (Completeness). Let ip be a well-formed formida o/MTL. If p 
is unsatisfiable, then there exists a refutation of LI r (17 k(t)) by Cmtl- 

9 Example Refutation 

We show that [K] Q p A □ [K](p => O P) =>■ O n P is valid if [ K } is a T modality. 
This is done by proving the unsatisfiability of 

t = \ K \ Op a □ l K \ (p => Op) a O o^p 

n r {n K {p)) is equal to the following set of clauses: 
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(5) true => qo(now) 

( 6 ) true => ~^q 0 (x) V q[ K ] q p (x ) 

(7) true => ~^q 0 (x) V q 1 (x) 

( 8 ) true => q 0 (x ) V q 2 (x) 

(9) true => -nq [K] 0 p (x) V ~^r K (x, y) V q 3 (y) 

(10) q 3 (z) => O q P (z) 

(11) true => ->qi(x) V q[x](p^-o P ){x) 

(12) qi(x) => Oqi(x) 

(13) true => ^q [K]ip ^ 0p) (x) V r K (x,y ) V g 4 (y) 

(14) true => -> 54 ( 0 ;) V ->g p ( x) V < 75 ( 2 ;) 

(15) ( 75 ( 2 ;) => 0?p(a ; ) 

(16) 92 (x) => 09e(a;) 

(17) % ( 2 :) => 0—>q p (x) 

(18) r K (x,x) 



The derivation proceeds as follows: 



[(18)1, (13)2, Res] (19) 

[(11)1, (12)2, SRes2] (20) 

[(19)1, (20)2, SRes2] (21) 

[(14)1, (21)2, SRes2] (22) 

1(15)2, (22)2, SResl] (23) 

[(12), (15), (23), Merge] (24) 



true => ^q[K](p^o P ){x) V 94(2;) 
qi(x) => Oq[K](p^o P ){x) 
qi(x) => 094 ( 2 :) 
qi(x) => 0{->q P {x) v 95(2;)) 

91 ( 2 :) A 95 (x) => 095 0) 

9i ( 2 :) A 95 (x) => 0(?i (x) A 95 (x) A 9 p (x)) 



Intuitively clause (24) says that once 91 and 95 hold at a point x, 91 , 9 . 5 , and 
9 p will hold at any temporal successor of x. Thus, once we reach x we will not 
be able to satisfy 0~>q p (x). This gives rise to an application of the temporal 
resolution rule to (17) and (24). We obtain the following four clauses from the 
conclusion of this inference step. 



[(17),(24),TRes] (25) true => - 195 ( 2 :) V ~^q p (x) V - 191 ( 2 ;) V - 195 ( 2 ;) 

(26) true => ->96 (x) V ~^q p (x) V 97 (x) 

(27) 97 (x) => 0(^q P (x) V 19 i(x) V ->95 (x)) 

( 28 ) 97 (x) => 0 (-' 9 p(*) v 97(2;)) 



In the following only clause (25) will be relevant. We show now that 91 , 9 2 and 
93 cannot be true at the same point x. 



[(14)3, (25)4, Res] 
[(19)2, (29)4, Res] 
[(11)2, (30)4, Res] 
[(12)2, (31)3, SRes2] 
[(16)2, (32)3, SResl] 
[(10)2, (33)3, SResl] 
|(34),SRes3] 



(29) true => ~>qe(x) V 1 q p (x) V 191 (x) V -194 (x) 

(30) true => ~^q 6 (x) V ~>q p {x) V -> 9 i(x) V ^q [KKp= ^ Qp) (x) 

(31) true => — >9g(x) V ->q p (x) V 191 (x) 

(32) 9i(x) => 0096 (a:) V 1 9p(x)) 

(33) 9i (x) A 92 (x) => 0 ^q p {x) 

(34) 9i(x) A 92 (x) A 93 (x) => O false 

(35) true => -194 (x) V -192 (x) V -193 (x) 



The remainder of the refutation is straightforward. Based on the clauses (5) to 
(9) and the reflexivity of rx, it is easy to see that 91 , 92 , and 93 are true at the 
point now which contradicts clause (35). 
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[(18) 1,(9) 2, Res] 


(36) 


true 


[(36)2, (35)3, Res] 


(37) 


true 


[(6)2, (37)3, Res] 


(38) 


true 


[(7)2, (38)1, Res] 


(39) 


true 


[(8)2, (39)1, Res] 


(40) 


true 


[(5)1, (40)1, Res] 


(41) 


true 



=> ^Q[K]Op{x) V q 3 (x) 

=> ^qi(x) V ^q 2 {x) V mq [K] q p {x) 
=> -<qi(x) V ->q 2 {x) V ~^q 0 (x) 

=> _1 92(*) V ~>qo{x) 

=> ~ , qo(x) 

=> false 



10 Conclusion 



We have presented a framework for the combination of modal and temporal 
logics consisting of (i) a normal form transformation of formulae of the combined 
logics into sets of SNF^ clauses, (ii) a translation of modal subformula in SNFjf 
clauses into a first-order language, and (iii) a calculus Cmtl for the combined 
logic which can be divided into standard resolution inference rules for first-order 
logic and modified resolution inference rules for discrete linear temporal logic. 

The calculus Cmtl provides a decision procedure for combinations of subsy- 
stems of multi-modal S5 with linear, temporal logic. 

Note that instead of modifying the inference rules for discrete linear temporal 
logic we could have retained them in their original form and added bridging 
rules between the two logics. We have shown that the only clauses which can 
be premises of the first-order inference rules as well as of the temporal inference 
rules are simple clauses. So, assume that II r leaves any SNF K clauses with 
occurrences of the temporal connective O and O unchanged. Furthermore, let 5 
be the homomorphic extension of a function that maps atoms q p {x) to q p . Then 
an alternative calculus to Cmtl consists of Res, Fac, the original step resolution 
rules and temporal inference rule by Dixon et al. (5), and the two bridging rules 



true => C 

pl true =>■ S(C) 



br foi 



true <f(C) 
true => C 



where true => C is a simple clause. This again stresses the importance of the 
observation that simple clauses control the interaction between the two calculi 
involved. The bridging rules allow for the translation of simple clauses during the 
derivation, thus providing an interface between the two calculi we have combined. 
This is approach is closely related to the work by Glridini and Serafini (9). 

Although we have only considered the basic modal logic K and its extensions 
by the axiom schemata 4, 5, B, D, and T, we are confident that soundness, 
completeness, and termination can be guaranteed for a much wider range of 
modal logics. 

An important extension of the combinations of modal logics we are currently 
investigating is the addition of interactions between modal and temporal logics. 
In the presence of interactions the modularity of the calculus and the modularity 
of our proofs, in particular the proof of termination, can no longer be preserved. 
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Abstract. We define a sound and complete logic, called TO D , which 
extends classical first-order predicate logic with intuitionistic implica- 
tion. 

As expected, to allow the interpretation of intuitionistic implication, the 
semantics of TO^ is based on structures over a partially ordered set of 
worlds. In these structures, classical quantifiers and connectives (in par- 
ticular, implication) are interpreted within one (involved) world. Con- 
sequently, the forcing relation between worlds and formulas, becomes 
non-monotonic with respect to the ordering on worlds. We study the 
effect of this lack of monotonicity in order to define the satisfaction re- 
lation and the logical consequence relation which it induces. 

With regard to proof systems for TO D , we follow Gentzen’s approach 
of sequent calculi ( cf . [8]). However, to deal with the two different impli- 
cations simultaneously, the sequent notion needs to be more structured 
than the traditional one. Specifically, in our approach, the antecedent is 
structured as a sequence of sets of formulas. We study how inference rules 
preserve soundness, defining a structured notion of logical consequence. 
Then, we give some general sufficient conditions for the completeness of 
this kind of sequent calculi and also provide a sound calculus which sa- 
tisfies these conditions. By means of these two steps, the completeness 
of TO D is proved in full detail. The proof follows Hintikka’s set ap- 
proach (cf. [11]), however, we define a more general procedure, called 
back-saturation, to saturate a set with respect to a sequence of sets. 



1 Introduction 

Combining different logical systems has become very common in several areas 
of computer science. In this paper, we introduce a logical system, called TO D , 
obtained by using a combination of classical and intuitionistic logic. Our original 
motivation for defining this logic was to provide logical foundations for logic 
programming (LP) languages which combine classical (— >) and intuitionistic (d) 
implication. A well-founded LP language should be entirely supported by an 
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underlying logic. This means that the declarative semantics of the LP language 
is based on the logical model-theory, and at the same time, the operational 
semantics is supported by the logical proof-theory; cf. [15] for technical details. 
Sequent calculi provide a very natural and direct way to formalise the operational 
semantics of LP languages. It is well known that standard LP (Horn clauses 
programming) is well-founded in classical first-order predicate logic. However, 
as mentioned in [10]: 

“If the two implications are considered altogether, the resulting semantics 

differs from that of both intuitionistic and classical logic. ” 

Then, for the extension of LP languages with intuitionistic implication, our aim 
is to obtain complete sequent calculi for a sound extension of first-order predicate 
logic with intuitionistic implication. We want to make it clear that the concern 
of this paper is the logic TO D itself, but not its application to LP. In fact, the 
latter is the main subject of [1]. 

The problem in combining Hilbert axiomatizations of classical and intuitionistic 
logic is shown in [2]: 

“It cannot be attained by simply extending the union of both axiomatiza- 
tions by so called interaction axioms'’ 

In fact, whenever both kinds of implicative connectives are mixed, some equiva- 
lences and axiom schemas are lost, and they collapse into classical logic. What 
they do to achieve a Hilbert-style axiomatization (and also a tableaux method) 
is to restrict some axiom schemas (and tableaux rules) to a special kind of for- 
mulas called persistent. The same restriction is used in the natural deduction 
system introduced in [12] which also combines classical and intuitionistic logic. 
Our proposal enables greater flexibility for developing deductions, by introdu- 
cing structure in the sequents, since this structure makes unnecessary the above 
persistence-restriction. We will return to this matter in the last section, after 
TO D has been presented. 

TO D syntax is first-order without any restriction, hence, we deal with va- 
riables, functions, predicates, connectives and quantifiers. For semantical diffe- 
rentiation of both implications, it suffices to consider standard Kripke structu- 
res, over a partially ordered set of worlds. Worlds have an associated classical 
first-order structure for the semantical interpretation of terms over its universe 
([20,21]). An intuitionistic implication <p D ip is satisfied in a world w if every 
world greater than w satisfying p also satisfies if. By contrast, classical connec- 
tives and quantifiers are interpreted within one (involved) world. In particular, 
a world w satisfies p —> if) if either w does not satisfy tp or satisfies ip. As a 
consequence, the forcing relation between worlds and formulas becomes non- 
monotonic with respect to the ordering on worlds. This lack of monotonicity is 
taken into account to define the satisfaction and logical consequence relations. 
In particular, a Kripke model satisfies a formula whenever all its minimal worlds 
force it. This satisfaction relation avoids the collapse of both implications. Moreo- 
ver, it induces (in the usual way) a logical consequence relation for TO D . With 
regard to sequent calculi for TO D the central point is the nature of sequents. 
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Gentzen’s original notion (c/. [8]) considers a sequent to be a pair (r,<P) where 
the antecedent r and the consequent <P are finite sequences of formulas. It is 
usual (in classical logic) to consider sets, instead of sequences, because this pre- 
vents some extra inference rules for duplication of formulas (contraction rule), 
interchanges of formulas (interchange rule), and so on. In intuitionistic logic, 
the consequent usually consists of a single formula. To deal with classical and 
intuitionistic implications within the same logic, the antecedent requires more 
structure, in order to avoid the collapse of both implications. We introduce this 
idea by means of two simple examples. Let us consider the three propositional 
symbols p, q , r. It is obvious that p — > q is semantically weaker than p D q. 
Therefore, we should not allow the derivation of the sequent with p — > q as 
antecedent and p D q as consequent. Roughly speaking, p — > q is a ’’one world 
sentence”, whereas p D q is ’’about all greater worlds”. This meaning suggests 
that the “D-in-the-right” rule, to split p D q for putting p on the left and leaving 
q on the right, must be used with care about which worlds p — > q and p are 
speaking about. In fact, the antecedent of the next sequent in our derivation 
tree has the sequence (but not the set) (p —> q: p) : obviously with q as con- 
sequent. This sequent should not be derivable, since p — > q is saying nothing 
about greater worlds satisfying p. Moreover, to derive, for example, the valid 
(classical) sentence (p — > q) — > ((q — > r) — > (p — > r)), it becomes useful to relate 
p — > q, q — > r and p to the same world in the antecedent sequence, taking r as 
the consequent. Thus sequences of sets arise as antecedents. Accordingly, in this 
paper, a sequent consists of a pair (A, x) where the antecedent A is a (finite) 
sequence of (finite) sets of formulas and the consequent % is a single formula. 
Hence, we say structured sequent calculus to emphasise its nature. For the study 
of structured deductive systems in a more general setting, see [5] . 

The rest of the paper is organised as follows: in Section 2 we give preliminary 
details about syntax and notation; in Section 3 we establish the model theory 
and the necessary semantical notions and properties; in Section 4 we present 
the soundness and completeness results for structured sequent calculi; finally, in 
Section 5, we summarise conclusions and related work. 

2 Preliminaries 

We consider signatures £ consisting of countable (pairwise disjoint) sets VSs of 
variable symbols, FSs of function symbols, and PSs of predicate symbols, with 
some specific arity for each function and predicate symbol. Function symbols of 
arity 0 are called constant symbols. We denote by Terms the set of all well- 
formed first-order 17-terms, inductively defined by: 

— A variable x £ VSs is a 17-term 

— If f £ FSs is n-ary and t \, . . . , t n € Terms, then f(t \ , . . . , t n ) is a 17-term. 

The set Forms of all well- formed 17-formulas contains the atomic formulas and 
the recursive composition of formulas by means of intuitionistic implication and 
classical connectives and quantifiers. For convenience, we consider the following 
atomic formulas: 
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— p(ti , . . . , t n ), for n-ary p £ PS s and t \, . . . , t n £ Terms 

— f (falsehood). 

In addition, we consider the classical connectives: negation (- 1 ) and implication 
(— >); the intuitionistic implication (d); and the classical universal quantifier V. 
The remaining connectives and quantifiers, i.e. conjunction (A), disjunction (V), 
existential quantification (3), and intuitionistic negation (~), can be defined as 
abbreviations: p A ip for —>{p — > -'ll)), p V ip for -up — > if, 3xp for -fix-up, and 
~ p for p D f. Even the intuitionistic universal quantifier, namely V, can be 
expressed in PO D by the formula (-i.f) D ixp as definition of ixp. 

Terms without variable symbols are called closed terms. By means of quantifiers, 
formulas have free and bound variables. We denote by free(p) the set of all 
free variables of the formula ip. We call E-sentence a 17-formula without free 
variables. 

The uppercase Greek letters r and i> (possibly with sub- and superscripts) will 
be used as metavariables for sets of formulas, whereas A, A' , A" , . . . are reserved 
to be metavariables for sequences of sets of formulas. 

We denote by cons(t) the set of all constant symbols appearing in the term t. A 
very simple structural induction extends cons to formulas, sets of formulas and 
sequences of sets of formulas. 

Structures (or models) are Kripke models of first-order intuitionistic logic 
([20,21]), that is, we consider worlds with universes and function symbols inter- 
pretations, as well as predicate symbols interpretations. Variables assignments 
and substitution notation are especially awkward for dealing with Kripke models. 
For that reason, to define the semantics of quantifiers, we follow the approach 
in [19] of naming all elements of the universe: 

Definition 1. Given a set of elements (or universe) A, a signature E can be 
extended to the signature Ea, by adding a new constant symbol a for each 
element a £ A. ■ 

In order to simplify substitution notation we write <p(t) for the simultaneous sub- 
stitution instance of the formula <p(x) with terms t for variables x. The notation 
<p(x) is a meta-expression, which does not mean that x is the exhaustive list of 
free variables of p, nor that all of them occur as free variables in tp. 

3 Non-monotonic Forcing and Logical Consequence 

In this section we firstly establish the semantical structures for PO D , and then 
define the forcing, satisfaction and logical consequence relations. At the same 
time, we point out some interesting meta-logical properties, such as, for example, 
the monotonicity of terms evaluation and the substitution lemma, which are 
usual and useful in most of the well-known logics. 

Semantical structures for PO D are standard first-order Kripke structures 
with a partially ordered set of worlds ([20,21]). Worlds have an associated classi- 
cal first-order structure over a universe. We consider that the signature of every 
world includes names for individuals of its universe. We abbreviate by E w the 
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signature £a w , which extends £ with a name a for each a £ A w (see Defini- 
tion 1). 

Definition 2. A Kripke £-structure is a triple /C = (W(1C), A, {A w ) we w(K)) 
where 

(a) (kL(/C), A) is a partially ordered set (of worlds) 

(b) Each A v , is a first-order A’,„-structure defined by: 

— A non-empty universe A w 

— A function f Aw : ( A w ) n A w for each n-ary / £ FSz w 

— A set At w of atomic 17-formulas of the form p{a\, . . . ,a f) 
such that for any pair of worlds v A w: 

1. A v C A w , 

2. At v C At w , and 

3. f Aw (a) = f Av (a), for all n-ary / £ FSe v and all a £ ( A v ) n . ■ 

These Kripke structures allow us to interpret .27,,,-terms in worlds in a mo- 
notonic way. 

Definition 3. Let w be a world of a Kripke 17-structure and let t £ Terms w , 
its interpretation t Aw (briefly t w ) is inductively defined as follows: 

— a Aw = a for any a £ A w 

- (f(t 1 ,..'^t n )) A - = f A ™ (tf t A ”). m 

Proposition 4. For any t £ Terms v , any Kripke- structure K. and any pair of 
worlds v,w £ W(JC) such that v A w: t w = t v £ A v C A w . 

Proof: The usual proof by structural induction on t is suitable. ■ 

The satisfaction of sentences in worlds is handled by the following forcing 
relation: 

Definition 5. Letting 1C be a Kripke 17-structure, the binary forcing relation lb 
between worlds in W(IC) and 7E7-formulas is inductively defined as follows: 

W\ ¥ F 

w lb p(t 1 , . . • , t n ) iff p(tf, . . . , t™) £ At w 
w II — up iff w \y- ip 
w lb ip — > if iff w \j/- ip or w lb if 

w lb ip D if iff for all v £ W(1C) such that v A w: if v lb ip then v lb ip 
w lb \/xip(x) iff w lb ipifa) for all a £ A w . 



For a set of formulas <!>, w lb <P means that w lb ip for all ip £ d>. 



ft is obvious that lb is relative to /C, hence we will write Ibjt whenever the 
simplified notation lb may be ambiguous. 
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TO D satisfies the following meta-logical property: 

Lemma 6. (Substitution Lemma) For any Kripke S -structure 1C, any w € 
W(1C), any closed S -terms t\, <2 and any S -formula ip with free{<p) C {x}: 

If 1 f = t™ and w lb p(t\), then w lb (pfa). 

Proof: A very easy structural induction on p. ■ 

By Definition 2, it is obvious that the forcing relation lb behaves monoto- 
nic ally for atomic sentences, therefore we say that TO D is atomically monoto- 
nic. However, in contrast with (pure) intuitionistic logic, monotonicity can not 
be extended to arbitrary sentences. This happens because TO D gives a non- 
intuitionistic semantics to negation, classical implication and universal quantifi- 
cation. The following example illustrates this behaviour. 

Example 7. Consider the following Kripke structure 1C with W(JC) = {u, v,w} 
such that u A v A w, A u with universe {a}, A v with universe (a, b}, A w with 
universe {a, b, c}, At u = 0, At v = (r(a),r(6)}, and At w = (r(a),r(6)}. In such 
a model, the world u forces ->r(a) and also r(a) — > q(a), but v does not force 
either. Moreover, v forces \/xr(x), but w does not. ■ 

Now, our aim is to define a satisfaction relation between Kripke structures 
and sentences, from which a logical consequence relation between sets of senten- 
ces and sentences may be induced in the usual way. 

Definition 8. Let |=a be a satisfaction relation between 17-structures and E- 
sentences, then the induced logical consequence relation, denoted by the same 
symbol [w, is defined as follows. 

For every set of 17sentences r U {<^}: 

r ip iff for all Kripke 17-structure /C: /C r => K, tp. ® 

It should be noted at the outset that we can not define the satisfaction rela- 
tion as it is commonly done in well-known logics with possible worlds semantics, 
like intuitionistic logic (c/. [20,21]) and modal logics (c/. [4]). The reason is that, 
under this usual notion (recalled in Definition 9) , both implications collapse into 
the intuitionistic one. 

Definition 9. A Kripke structure /C satisfies (or is a model of) a sentence tp if 
and only if w lb ip for all w £ W(JC). We call this relation global satisfaction and 
it is denoted by /C [=<3 p. ■ 

It is easy to observe that, for logics with monotonic forcing relation (e.g. 
intuitionistic logic), the fact to be forced in all worlds is equivalent to the fact 
to be forced in all minimal worlds. Hence, for this kind of logics, the logical 
consequence induced (in the sense of Definition 8) from global satisfaction (|=g) 
is equivalent to the one induced from the following minimal worlds satisfaction 
relation : 




94 



P. Lucio 



Definition 10. 

(a) We say that a world w € W{K) is minimal if and only if there does not exist 
v £ W(/C) such that v -< w. 

(b) A Kripke 27-structure /C satisfies (or is a model of) a 27-sentence p (/C |= p) 
if and only if w lh p for each minimal world w £ W{tC). 

(c) For sets of sentences: /C \= T if and only if 1C |= p for every p £ T. ■ 

We adopt, for FO D , the satisfaction relation \= of Definition 10(b) and the 
logical consequence relation (also denoted by |=) induced from it, in the sense 
of Definition 8. 

As a matter of fact, (= has a direct (instead of induced) equivalent definition, 
which is based on the local (in contrast with global) point of view. We are going 
to define the local relation |= l and then we prove that it is equivalent to |= and 
stronger than |=g. 

Definition 11. r \=l p if and only if for every Kripke structure K. and for 
every world w £ W{K.), if w lh r then w lh p. ■ 

Proposition 12. 

(i) \= and \ =l are equivalent logical consequence relations. 

(ii) Ni stronger than \=g- 

(Hi) If the forcing relation is monotonic, then | =l and |=g are equivalent logical 
consequence relations. 



Proof: 

(i) ft is trivial that \=l is stronger than f=. To prove the converse, let us suppose 
that there exist /C and w £ W(JC) such that w lb r and w \jf p. Then, we 
can define 



JC W = ({u|u e W(K),v h w}, {■A v ) veW (ic),vtw) 

Ki w is a Kripke structure with a unique minimal world ui such that w lh T 
and w I f p. Therefore, 1C W lh r and IC W I jf p. 

(ii) is trivial. 

(iii) Suppose that F |=g p and consider any K, and w £ W (/C) such that w\\-jc F. 
Now, consider JC W as above. By forcing monotonicity w' \\~k. w F holds for all 
w' £ W(JC W ). Then, w' lh £«> p holds for all w' £ w\lC w ). So, w lhjt p. ■ 

Overall, the FO D logical consequence |= has been induced from the minimal 
world satisfaction relation of Definition 10(b), however, the equivalent formu- 
lation given by Definition 11 and Proposition 12 (i) can be considered when 
convenient. 

ft is easy to see that \= is monotonic with respect to set inclusion: 

Fact 13. If F C F' and r \= p, then r' (= p. ■ 
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4 Structured Sequent Calculi and Completeness 



As explained in Section 1, we consider structured sequents. Specifically, a se- 
quent consists of a pair (Z\,%) (written as A i=>x) where the antecedent A is a 
(finite) sequence of (finite) sets of formulas and the consequent X is a single for- 
mula. In order to simplify sequent notation we reserve T and (possibly with 
sub- and superscripts) for sets of formulas, and A, A', A" , . . . for sequences 
of sets of formulas; the semicolon sign (; ) will represent the infix operation for 
concatenation of sequences; T U {q)} will be abbreviated by r, p; and a set T is 
identified with the sequence consisting of this unique set. Thus, the semicolon 
sign (; ) is used to split a sequence into its components (sets of formulas) and the 
comma sign (, ) splits sets of formulas into its elements. For instance, A; A q>\ A' 
denotes the sequence beginning with the sequence of sets A, followed by the set 
.TU{(p}, and ending with the sequence of sets A'. With an abuse of notation we 
will write ip £ A to mean that p belongs to some of the sets of formulas in A. 
In this section we firstly define the notion of proof in a structured sequent calcu- 
lus. Secondly, we explain what is required for soundness of this kind of calculi. 
For this purpose a structured consequence notion is defined. Then, we give ge- 
neral sufficient conditions for completeness, which have a dual advantage. On 
the one hand, different calculi for different purposes could be obtained from the 
general conditions. On the other hand, these conditions make the completen- 
ess proof easier. Lastly, we provide a sound and complete structured sequent 
calculus for FO D . 

Definition 14. A proof of a sequent A t=> % in a calculus C (or C-proof) is a 
finite tree, constructed using inference rules from C, whose root is the sequent 
A t=> % and whose leaves are axioms (or initial sequents) in the calculus C. When 
there exists a C-proof of the sequent A i=> x, we write A b c X- Moreover, b c 
is extended to (finite) sequences of infinite sets as follows. For A which is a 
sequence To; . . . ; of (possibly infinite) sets of A- formulas and p a A- formula, 
A be p holds if and only if there exists a sequence A' of finite sets Tj); . . . ; r' n 
such that r( C r t for each i € {l..n} and there exists a C-proof of the sequent 
A' i=> p. m 

Therefore, b c is the derivability relation induced by the calculus C. Notice 
that every set in the antecedent of a sequent must be finite, whereas in the 
derivability relation, sets can be infinite. A trivial consequence of definition 14 
is the following fact, which provides the thinning rule as meta-rule: 

Fact 15. If A; T; A! b c X and C C r' , then A; A; A' b c X- ■ 

Now, we define a relation |=* between sequences of sets of formulas and 
formulas, such that its restriction to a single set of formulas coincides with the 
logical consequence relation |=. 

Definition 16. Let A be a sequence To; A; . . . : At of sets of 17-sentences and x 
a 17-sentence, then we say that A |=* x if and only if for all Kripke 17-structure 
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/C and for all sequence of worlds Uq,U \, . . . u n £ W{1C) such that Wj_i A Ui (for 
i = 1, . . . ,n): 

Ui lb -Ti (for all* = 0, . . . , n) => u n lb ■ 

Reflecting on the direct (local) definition of the logical consequence relation 
(Definition 11 and Proposition 12), it is obvious that: 

Proposition 17. For every set of £ -sentences <P U {x} : $ |=* x iff & |= X- • 

The soundness of a calculus C is warranted whenever each proof rule of C 
preserves (=*. In other words, let us consider the following schema of proof rule: 

A\ ^ Xl ■ • ■ A n ^ Xn 
At^X 

then, because of finiteness of sets in a C-proof and by induction on its length, it 
suffices that each proof rule of C (with the above scheme) satisfies: 

A h* Xi (for alH = 1, . . . , n) => A |=* *. 

Notice that the monotonicity of |= with respect to set inclusion (Fact 13) can 
be generalized to |=* in the following sense: 

Fact 18. If rcr’ and A T; A! |=* p, then A; T'; A! |=* p. ■ 

However, |=* is non-monotonic with respect to sub-sequence relations, in 
general. For instance, A\ r (=* p could not hold, although A |=* p holds. 

As a first step to achieve completeness, we provide general sufficient conditi- 
ons for be, which are formulated on the basis of Hintikka sets (c/. [11]). We have 
to saturate sets which are involved in a sequence. Therefore, we must take into 
account previous sets in the sequence. For this purpose, we introduce the notion 
of back-saturated set with respect to a sequence of sets A. Because of technical 
reasons, back-saturation is also made with respect to a set of auxiliary constant 
symbols. 

Definition 19. Let A be a sequence of sets of A-sentences and let AC be a 
countable set of new auxiliary constants. We say that a set r of AuAC-sentences 
is back-saturated with respect to (AC, A) if and only if it satisfies the following 
conditions: 

1. f£F 

2. if A is atomic and A € A; T, then -i A ^ r 

3. p — > ip € r => —*p e r or £ r 

4 . p d if £ A; r => —>p £ r or ip g r 

5. \/xp(x) £ r ==> p(t) £ r for all closed t £ Term^uAC 

6. —>{p — > ip) £ r => p £ r and -i ip £ r 

7. -A/xp(x) £ r => — , p{c) £ r for some c £ AC. 

The first two conditions constitute the so-called atomic coherence property of r. 
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Now, we will show that, for calculi satisfying the conditions in Figure 1, any 
set of sentences, in the antecedent of a sequent, can be back-saturated preserving 
non-derivability. This is the crucial lemma for completeness. 

Lemma 20. Let A- T; A' be a sequence of sets of E -sentences, \ a E -sentence, 
and AC be a countable set of new auxiliary constants. If A\ A A' I -fc X an d \~c 
satisfies the conditions of Figure 1, then there exists a set r* such that: 

(i) r* is back- saturated with respect to {AC, A), 

(ii) F C r* and 

(Hi) r*; A ! \f c X- 

Proof: We will build r* , starting with r, by iteration of a procedure which 
adds sentences. At each iteration step k £ IN a set A of sentences is built. To 

do that we enumerate the set AC by {co, c\,...,c n , }; the set of all closed 

E U AC-terms by {to,ti, . . . ,t n , }; and the set of all E U A C-sentences by 

{70,71, . . . ,7n, }• The procedure initializes To : = A Then, for any k > 1 

it obtains A from A-i in the following way. 

(a) If k is odd, it takes the least pair (i,j) € IN 2 (in lexicographic order) 
such that 7j £ A-i have the form \/xip(x) and <p(tj) (ji A-i- Then, it makes 
r k := A- 1 U {<p(tj)}. 

(b) If k is even, it takes the least i £ IN such that 7 * has not been treated 
yet (in the step k) and one of the following two facts holds: 

(bl) 7 i £ A; A- 1 and it has the form ip D if 

(b2) 7 i £ A- 1 and its form is either p — > if or -1 (p — > if) or ->Va :p(x). 

Then, it obtains r k , depending on the case, as follows: 

(bl) If A; A-i, ->tp; A' \f c X then r k := A- 1 U {^p>} else A := A_ 1 U 

M 

(b2) 7 i is ip ->• ip: If A; A_i, -up-, A' \f c X then r k := A- 1 U 

else A := A-i U {if} 

7* is -n(v? if): A := A-i U {(p, ->ip} 

7 i is -Nxip(x): It takes the least j such that Cj £ AC \ cons(A; A-i; A x) 
and then it makes A := A-i U {-u^(cj)}. 

If A is back-saturated with respect to (AC, A) , the procedure stops at this step 
k for which A = A- Otherwise we approximate 

F* = |J A- 

fee At 

By construction f C T*. To finish the proof, we must justify that A; F*; A' I -fc 
X and r* is back-saturated with respect to (AC, A) . 

We will show that A: A; A' I -fc X> for all k £ IN (by induction on k). For k = 

0 the assertion holds by hypothesis. Now, consider any k £ IN, A; A-i; A ' I -fc X 
holds by the induction hypothesis. For each possible case, in the extension of 
A-i to Ai there are some conditions in Figure 1 which ensure that A; F k \ A' I -fc 
X ■ The case (a) works because of condition 4, (bl) because of condition 3 and 
the case (b2), because of conditions 2, 6, and 8. 
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Finally, the atomic coherence of F* results from A: F*; A' \fc X because of 
conditions 1, 5 and 10. The remaining back-saturation properties of F* hold by 
construction. ■ 

Now, we will prove that conditions of Figure 1 are, in fact, sufficient for 
completeness. 



1 . Ae A =>■ Ah c A 

2. A; F, -^<p; A' h c X and A; F, ip; A' b c X => A; F, ip ->■ ip; A' b c X 

3. zA; F ; A'; I", -vp; A" b c X and zA; F; A '; / '. iP; A" ■ <■ \ - > 

A', F,ip 1v:A':F':A" be X 

4. A; F, ip(t); A' h c x=4 A; r,\/x<p(x); A' b c X 

5. A;F\~c A => A; F, -iA; A! b c X 

6. zA; F, ip, -up; A' b c X =>• A; F, ->(y> -> ?/>); zA' b c X 

7. A; F;ip \~c ip => A; F, -i(<p D V>); zA' he X 

8. zA; F, -np(c); A' b c X => A; F, -.Va s<p(x); A' b c X 

9. zA; F, —up \~c f => zA; F ho F 

10 . zA; F, f; zA' h c X 

where A is atomic, t £ TermsuAC and c £ AC \ cons(A; F, <p(x); A'). 



Fig. 1 . Sufficient conditions for completeness 



Lemma 21. If the derivability relation b c of a calculus C satisfies the condi- 
tions of Figure 1, then for any set of S -sentences & U {x}- \= \ => & \~c X 



Proof: Suppose that F \fc X- We will prove that F x by showing the existence 
of a counter-model /C with worlds in the set IN* of sequences of natural numbers, 
ordered by u < v if and only if u is an initial segment of v. 1 This structure K. 
will be such that e lb <1 and e \f x- Let us consider the existence of a countable 
family of disjoint sets of new auxiliary constants (z4Ci)j 6 jv- With each sequence 
s £ IN* we associate the set AC# S and the signature 

r s = ru U AC n . 

n<#s 



Now, we inductively associate a set F s of 27-formulas with each s = (no, n i, , Uk) £ 
N*. Let A s denote the sequence F e ; F <no) ; F( n0)fll> ; . . . ; T<„ 0 , ni> ...,n fe ) and Z\ <s the 
sequence F e , . . . , F^ no ni ^ nk _ 1 ^. 

The collection {F s |s £ IN*} is defined to satisfy that each F s is back- 
saturated with respect to (AC# S , A <s ), <1 U {-!%} — A) and zA s I -f c f. 



1 e will denote the empty sequence, • is the infix function for adding a natural number 
to a sequence and # is the length function over sequences. 
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As basis step, we define T e as the back-saturated set with respect to AC 0 
and the empty sequence of sets such that U {— >x} Q A and T e I -fc F ■ A 
exists because <P, ->x fc F holds by condition 9 . As inductive step, we define 
r s .j for s £ IN* and j £ IN, provided that A s I fc F - In order to do this, we 

consider an enumeration {70, 71, • • ■ , 7m } of all sentences of T s of the form 

~r(pi D pf). Then, let 7 j be -> (p D ip). By conditions 7 and 9 , we have that 
Z\< s ; r s ; p, -i ip I -fc F - So, there exists r s .j A {pi, -up} back-saturated with respect 
to {AC #S+ 1, A a ) such that A s ; r a .j \f c F ■ 

Now, by means of {r s | s £ IN*}, we can define K, = (IN* ,<, (A s ) sS w) as 
follows: 

— A s = {t | t £ Terms . and t is closed} 

— f A °(t 1, . . .A n ) =j(h, . . .,t n ) 

— At a = {p(t | p(t 1, . . . ,t n ) £ A s }. 

It is easy to see that /C is a Kripke structure and also that t s = t = t s holds 
for any s £ IN*. To finish the proof we have to check that e lb (p and e \f \- 
Hence, since <I> U { _i x} C T e , it suffices to show that rj £ T s => s lb 77 holds for 
any s £ IN* and any 17 -sentence ?y. We prove this fact by induction on ? ), using 
Definition 19 , since each T s is back-saturated with respect to (AC# S , A <s ): 

P(t 1 ; • • • 1 t'n ) £ T s ■ y p(t 1 , . . . , t n ) £ At a ■ 1" S lb p(tl i • • ■ i 

— -up requires induction on p: 

i p(ti i ■ • • 5 t n ) £ T s y p(t \, . . . , t n ) ^ A s v p(t \, . . . , t n ) ^ At s 

=> S \Y p(ti, ...,t n ) => S lb ->p(ti, ... ,t n ) 

— -1 (p — > ip) £ T s => p £ T s or —iij) £ T s => s lb p or s \f if) => 

S lb p — > ij) 

— ->(p D ip) £ T s ==> p, -rip £ T s .j for some j £ IN => s ■ j lb p and 

S ■ j 1 / ip => s \y- p D ip => s II <(p D ip) 

— ~Nxp(x) £ T s => -1 p(c ) £ T s for some c £ AC# S => s II <p(c) for 

some c £ AC#g => (by c s = c* and Lemma 6) s lb ~<p(c) for some 
c £ AC# S => s II — Nxp(x) 

— p — > ip £ T a => —>p £ T s or ip £ T s => s II — 'p or s lb %p ==> s lb p —> ip 

— p D %p £ T s => p D ip £ A w for all w > s ==> ~<p £ T w or tp £ T w for all 

w > s => w II — 1 p or w lb ip for all w > s => s lb p D ip 

— \/xp(x) £ T s => p(t) £ T s for all closed t £ Terms s ==> s lb p(t) for all 

closed t £ Terms,, => (by t s = t s and Lemma 6) s lb p(t) for all t £ A s 
=> s lb Vxp(x). ■ 

The conditions of Figure 1 could be rewritten as inference rules, changing b c 
by . By Fact 15 and Lemma 21 , this is a sound and complete calculus for TO J , 
which is cut-free, but it is not very natural. In Figure 2 , we give a more natural 
calculus, with two inference rules for introducing each connective and quantifier 
on the left and on the right, respectively. Notice that the differences between 
the rules for both implications reflect that D can be used for any “ulterior” 
set in the sequence, whereas —> only is valid for the set containing it. We also 
would like to remark that by looking at the antecedent as a set of formulas, 
the rules in Figure 2 become well-known inference rules in both classical and 
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intuitionistic sequent calculi. In particular, viewed in this manner, the rules for 
both implications collapse into a single pair of rules. 

The structural rules ( I nit ), (Abs), ( Cas ) and (. RaA ) respectively allow us to 
built initial sequents, to put any consequent in the place of falsehood, to reason 
by distinction of the two cases given by the law of the excluded middle (classical 
negation), and to make reductio ad absurdum reasoning. Notice also that by a 
combination of (~>L) and (Cas) this calculus provides a derived cut-rule (see 
Figure 3). Besides, it is easy to check that, using the abbreviations for the rest 
of connectives and quantifiers (A, V, 3, ~), the expected inference rules can be 
derived for them. 



Structural Rules 

(. I nit ) A A if A £ A and A is atomic(incl. f) 
A;F,<p;A' i=> y A\ T, -y; A' i=> y 

> A-T-A'^x 

Connective Rules 

/ m Z\; r jp 
A-, r, -«p; A i=> X 



(Abs) 



A i=> F 

A^\ 



(RaA) 



A) r , —up t=> F 



(R-') 



A ; r, ip i=^ f 
A; r iZ —up 



[ ’ A-,r,ip-t Ip-, A' I=> x 

, -h/IAb/'oy A: I : A': / '. c: A 1 ' 

[ ’ A-r,^D^A'-r'-A"^x 



(R -t) 



A m ,r,ip&ip 

A\ r i=> ip — » 'll! 



(Rd) 



A;{ip}t^ip 
At=>ip D f 



Quantifier Rules 



/w r \ — ^ • T, y?(t); ■T i=> x 
A; r,Vx<p; A' i=> y 



(RV) 



Zi t=> (/3(c) 

A i=> Vx</3 



(t is a term in (VL), and c is a new constant which 
does not appear in the lower sequent of (RV)). 



Fig. 2. A sound and complete calculus for tFO D 



Now, we will show that the set of inference rules in the Figure 2 constitutes 
a sound and complete sequent calculus for TO D . 

Firstly, the soundness of this calculus can be proved easily but requires a 
long proof. The proof consists in checking that each inference rule is sound with 
respect to (or preserves) the relation |=* (Definition 16). As an example, we show 
that (— > L) is sound. Let A be some sequence of sets r 0 \ . . . ; T n and let A' be 
another sequence <P 0 -, . . . - <d> m . Suppose that there exists a Kripke structure /C 
and a sequence of worlds in W(K,): Uo A ■ ■ ■ A u n A w A Vo A ■ ■ ■ A v m such 
that: 

— Ui lb Rj for all* = 1, . . . , n 

— w lb r U {(p — > 4>} 
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— Vj lb ( t>, for all j = 1, . . . , in 
~ V m V X 

Since w lb p —t if), then w 1/ ip or w lb ip. The first case means that A; T ip 
and in the second case it turns out that A: r, ip; A' ip- Therefore, if A; T (=* ip 
and A; F, ip; A' |=* y, then A;F,p ip; A' |=* %. 

Secondly, we will prove completeness by checking that the derivability rela- 
tion induced by the calculus of Figure 2 satisfies the conditions of Figure 1. In 
order to do it easier, we introduce the derived inference rules of Figure 3. These 
rules provide cut, contraposition (in the last set of the antecedent), derivation of 
assumptions (of the last set of the antecedent), and contradiction respectively. 



{Cut) — ; r r A; S (Ctp) p - 1 * ^ ^ 

y J A: I : A' -- >\ y A;T,->p^x 

(Ass) A; r, i=> ip ( Ctd ) A; r, ip, -up; A' i=> \ 



Fig. 3. Derived inference rules 



{Cut) is derived by using {~>L) and {Cas), and {Ctp) by (-■ L) and {RaA). 
(Ass) can be derived by induction on ip. In the basic case, it suffices to use {I nit). 
For the induction step it is enough to use the induction hypothesis together with 
the corresponding rules (i?0) and (©L) in each case of binary connective or 
quantifier 0. Finally, {Ctd) comes from (-i L) and (Ass). 

Theorem 22. (Completeness) The calculus of Figure 2 is complete for T O d . 

Proof: By Lemma 21, it is enough to check that the calculus satisfies the 
conditions of Figure 1. Some of the conditions are directly obtained from an 
inference rule. This is the case for condition 1 by {I nit), for 4 by (VL), for 5 
by (-i L) and for 9 by {RaA). Conditions 7 and 10 are also very easy to check; 
condition 7 holds by rules {R D) and {~<L) and 10 by {Init) and {Abs). 

From now on, the thinning meta-rule (see Fact 15) is often implicitly assumed. 
For both conditions 2 and 3 we use the same scheme of proof. We firstly apply 
{Cas) with ip and —up. Then, the sequent with tp is a premise of the condition. 
For the other sequent we use {Cut) with -up as cut-formula. We obtain the other 
premise of the condition and also a sequent which is easily derived by {R~>) and 
(— > L). The resulting leaves are (Ass) and {Ctd) sequents. 

A proof for condition 6 can be similarly obtained beginning with two consecutive 
applications of {Cut) with cut-formulas tp and ->ip on the set r. 

For condition 8, let us suppose that A; r, ~^<p{c); A' t=> % is a derivable sequent. 
That is, we are assuming that it is composed of finite sets. With an abuse of 
notation, we use the same names for the finite sets in the sequent as for its 
(possibly infinite) extensions in the derivability condition 8. We apply finitely 
many times {R —>) and {R D) to put, one by one, the formulas of A 1 in the 
consequent. In this way we obtain a sequent of the form A; r, ~<p{c) t=> r/{A', 
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where p(A\ x) is the above explained implicative formula combining both impli- 
cations. Now, by ( Ctp ), (i?V) (c does not appear anywhere in the sequent), and 
again using (Ctp) we have a proof of the sequent (Si) A; r , ~Nxip(x) i=>- ti(A' , y). 
Further, by systematic application of (— ► L) and (D L) to r/(A', x), we prove the 
sequent (S 2 ) A; r, ~Wx(p(x), r](A', %); A' t=> %. Applying (Cut) to (Si) and (S 2 ) 
we derive the sequent A; T, -<\/xip(x); A' i=> y. By thinning meta-rule (Fact 15) 
the corresponding derivability relation is obtained. ■ 



5 Conclusions and Related Work 

We have shown that structured sequents enable the sequent calculi approach as 
proof method for a logic combining classical and intuitionistic implication. We 
have given semantical foundations for a logic which achieves such combination 
in the (unrestricted) first-order case. Some design aspects of the logic tFO D have 
been influenced and inspired by its original motivation in the area of logic pro- 
gramming. In particular, antecedents consisting of sequences of sets arose as a 
tool to formalize the operational semantics of LP languages combining classical 
and intuitionistic implication (see [10,1]). We have improved these structured 
sequents to combine both whole logics. We have provided general sufficient con- 
ditions for completeness of sequent calculi dealing with this kind of sequents, 
and also a sound and complete calculus. The completeness proof is based on a 
procedure for saturating sets with respect to sequences of sets. 

The well-known modal logic ST (introduced in [14]) is closely related to in- 
tuitionistic logic, by a translation of intuitionistic formulas into S4 formulas 
([3,4]). Similarly, tFO D can be translated into S4. The S4 connective □ allows 
one to translate an intuitionistic implication ip D ip into D(ip — > ip). For ato- 
mic monotonicity, atomic formulas p(t) also have to be translated into Dp(t). 
This transformational approach enables logical (model-theoretic) foundations 
for LP languages combining both implications ([9]), and also provides a useful 
connection between the semantical aspects RO D and S4. On the contrary, this 
connection is not so useful for relating its proof-theoretical aspects. Structured 
sequents calculi provide a new deduction style allowing proofs which can not be 
translated to 54. Roughly speaking, structured sequent calculi are more flexible 
than traditional 54 proof methods. In other words, a probable sequent has more 
(essentially different) proofs in tFO D than its translation has in 54. For instance, 
consider the following 54-rule: 

(RD) |^| where = {□*> | □#> £ <?} 2 

The indispensable non- □-formulas in the antecedent of a sequent with a □- 
consequent must be used before one application of the (RD) rule removes them. 
The semantical reason is that □-formulas are properties of “every greater world” 
and the rule removes the “one world” assumptions. In tFO D , the structure of the 
antecedent allows us to preserve all its “information”, even in deduction steps 
dealing with a “every greater world” consequent. A remarkable consequence is 

2 S4 sequents are symmetric, but this is not relevant for our discussion. 
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that TO D is more suitable (than 54) for goal-directed proofs. A goal-directed, 
(or uniform) proof ([16,17]) essentially is a sequent calculus proof obtained by 
applying (at each step) the ( &R ) rule, where 0 is the top-level logical sym- 
bol of the consequent (or goal). When the goal is an atom A, the legal step 
(so-called “backchaining”) essentially consists on of applying (— >• L) to some 
formula — > A in the antecedent. Goal-directed proofs have become an im- 

portant proof-theoretical foundation for LP languages and goal-directed proof 
systems have been developed for fragments of first order logic ([18]), intuitioni- 
stic logic ([7,16]), intermediate logics lying in between intuitionistic and classical 
logic ([6]), and many other fragments of (higher-order, modal, etc.) logics. A 
more detailed discussion of this topic is outside the scope of this paper. [1] deals 
with a fragment of TO D which is a logic programming language satisfying the 
existence of a goal-directed proof for every provable sequent. Let us illustrate 
the goal-oriented ability of TO D by means of a simple example. Consider the 
sequent p, p —> q t=> p D q. It has a very easy goal-directed proof, whereas its 
translation to 54 modal logic, Op, Op — » □<? !=>•□( Dp —> Oq), does not have a 
goal-directed proof. For the former, by ( R Z>), we obtain p, p — »• q ; p i=>- q. Now, 
by applying (— > L) (“backchaining”) to p — > q, two initial sequents pi=>p and 
p,q-pt=^q are obtained. For the latter, a goal-directed proof must firstly apply 
(/?,□), hence it obtains the non-provable sequent Op Op — > Oq. There is a 
(non goal-directed) 54-proof which begins with the (— > L) to obtain the initial 
sequent Dp i=> Dp and also the sequent Dp, □<? i=4> □ (□p — >• Dg) which now can be 
proved by (i?D). 

Farinas and Herzig ([2]) have investigated the combination of classical and in- 
tuitionistic logic, in the propositional case. They provide a Hilbert-style axio- 
matization and also a tableaux method. Actually, a completeness proof for the 
propositional subset of TO D could be obtained by deriving the axiomatization of 
the propositional logic introduced in [2]. A similar work is [12] where a natural 
deduction system is given. A common characteristic of both systems, [2] and 
[12], is that some deduction steps depend on the persistence of formulas. From 
the semantical point of view, persistent formulas are the “every greater world” 
ones in the sense mentioned above. In 54 only D-formulas are persistent, whereas 
the combination of classical and intuitionistic connectives leads to an inductive 
characterization of persistence. In [2,12] persistent goals require the elimination 
of non-persistent premises, like the (i?D)-rule does in 54. Hence their deductive 
styles are similar and quite far from the (structured sequents based) TO D style, 
especially with regard to goal-directed proofs. Let us consider again the above 
example and the tableaux method introduced in [2] , in order to obtain a closed 
tableau for the sentence ~<((p A (p — )• q)) ->(pD q)). After some simple steps, 
we have a linear tableau containing the three nodes: p, p — > q, and -i(p D q). 
From the goal-directed point of view, the first two play the role of premises and 
the last one is the goal. Therefore, to build a “goal-directed tableau” we must 
enlarge the unique branch with p and —>q and, simultaneously, we must eliminate 
all premises, since they are not persistent. Hence, this tableau will not close. A 
closed tableau could be obtained and to do this it suffices to use the premise 
p — > q before the goal. 
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Abstract. The behaviour of many systems is naturally modelled by a set of 
ordinary differential equations (ODEs) which are parametric. Since decisions 
are often based on relations over these parameters it is important to know them 
with sufficient precision to make those decisions safe. This is in principle an 
adequate field to use interval domains for the parameters, and constraint 
propagation to obtain safe bounds for them. Although complex, the use of 
interval constraints with ODEs is receiving increasing interest. However, the 
usual consistency maintenance techniques (box- and local hull-consistency) for 
interval domains are often insufficient to cope with parametric ODEs. In this 
paper we propose a stronger consistency requirement, global hull-consistency, 
and an algorithm to compute it. To speed up this computation we developed an 
incremental approach to refine as needed the precision of ODEs trajectories. 
Our methodology is illustrated with an example of decision support in a medical 
problem (diagnosis of diabetes). 



1. Introduction 

Model-based decision support relies on an explicit representation of some system (in a 
domain of interest). The dynamics of such system is often described by relating the 
rates at which the system variables change with the current values of these variables. 
Such models are naturally represented as a set of ordinary differential equations 
(ODEs) which are parametric, as they include parameters whose value is not known 
exactly. 

The classification of the system behaviour (for instance, whether it oscillates) 
usually depends on some relations between the system parameters. When decisions 
have to be made according to the behaviour of the system, determining the value of 
the parameters becomes of course an important problem. Nevertheless, to know the 
exact values of the parameters is often not required, being sufficient to determine them 
with enough precision to make safe decisions. 

Such determination is not an easy task, in general. Sometimes it is possible to 
obtain an analytical solution for the ODEs. In such systems, the model may be tuned 
by collecting data in a number of experiments, and adjusting the model parameters to 
fit the predicted to the observed values. However, many systems have no analytical 
solution, and the above values must be predicted by numeric simulation. This is a 
typical generate and test process: exact values for the parameters must be generated 
and the results of its simulation tested against the observations. 

H. Kirchner and C. Ringeissen (Eds.): FroCoS 2000, LNAI 1794, pp. 105-120. 
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This procedure has two main drawbacks. Firstly, approximation errors are 
inevitable and a mismatch between predictions and observations can be explained 
either because the values of the parameters are wrong, or because of approximation 
errors (or a combination of both types of errors). Secondly, even if these latter errors 
can be discarded, systems are often highly non linear, and small errors in the value of 
the parameters may cause important changes in the predicted results (chaotic systems 
are an extreme example of this non-linearity). Moreover, in a decision support context, 
safe decisions may only be made if all values that match the experimental data are 
considered, and this poses the extra difficulty of generating and testing all the 
(potentially infinite) hypotheses. 

These difficulties with numerical simulation may, in principle, be circumvented by 
adopting interval domains for the parameters, and using constraint propagation to 
obtain safe bounds for them. Despite its complexity, the use of interval constraints 
with ODEs is recently receiving increasing interest [1], and was proposed for the 
representation of deep models of biomedical systems [2], 

The success of this approach to handle parametric ODEs greatly rests on the ability 
of constraint propagation to narrow the uncertainty about the parameters (until a safe 
decision can be made). As with other domains, constraint propagation of intervals 
maintains some form of consistency of the constraint set. Typically, two types of 
consistency are considered: box-consistency and local hull-consistency [3]. Neither of 
them is complete; more importantly, in the context of decision support, neither seems 
to be able to sufficiently narrow the parameters in parametric ODEs so that decisions 
may be made safe. 

To overcome this problem, we propose in this paper a new type of consistency, 
global hull-consistency, that combines the global nature of box-consistency with the 
simultaneous instantiation of all parameters of local hull-consistency. The paper is 
organised as follows. In section 2 we present a motivating example from the medical 
domain (diagnosis of diabetes), where the above considerations are exemplified. 
Section 3 overviews the main features of interval-based approaches to handle ODEs. 
Section 4 presents our definition of global hull-consistency, and justifies it in the 
context of decision support. This algorithm relies on a number of trajectory 
computations with sufficient precision, and section 5, presents an incremental 
validated approach to deal with ODEs, which speeds up the required computations. 
Section 6 presents and discusses the results of applying our approach on the diabetes 
example. Finally section 7 presents the main conclusions and discusses future research 
still needed. 



2. A Differential Model for Diagnosing Diabetes 

Diabetes mellitus is a disease that prevents the body from metabolising glucose due to 
an insufficient supply of insulin. A glucose tolerance test (GTT) is frequently used for 
diagnosing diabetes. In this test, the patient arrives at the hospital after an overnight 
fast and ingests a large dose of glucose. During the next hours, several blood tests are 
made and from the evolution of the glucose concentration values (and possibly insulin 
values as well) a diagnosis is made by the physicians. 
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Ackerman and al [4], proposed a well-known model for the description of the blood 
glucose regulatory system during a GTT. The model is the following parametric 
ordinary differential equation: 

dg dh 

— =-Pig-I = ~P 3 h + p (1) 

dt dt 

where g is the deviation of the glucose blood concentration from its fasting level; 
h is the deviation of the insulin blood concentration from its fasting level; 
p,, p 2 , p 3 and p 4 are positive parameters 

When the patient arrives after an overnight fast the concentrations of glucose and 
insulin are in the fasting level so g and h are zero. Let t 0 be the instant immediately 
after the ingestion of a large dose of glucose (g 0 ). According to the model, the 
evolution of glucose and insulin blood concentrations is described by the trajectory of 
the above differential equation with the initial values: 

g(t 0 ) = g 0 and h(t 0 ) = 0. 

The parameter values, which vary from person to person, determine the evolution 
of the trajectory over time. Figure 1 shows two simulations of the evolution of the 
glucose blood concentration for a patient that arrived with a glucose fasting level 
concentration of 70 mg glucose / 100 ml blood. Immediately after the ingestion of an 
initial dose of glucose, the glucose concentration was 150 mg glucose / 100 ml blood 
(g 0 = 150-70 = 80). The different trajectories obtained for the two simulations are due 
to the different values assumed for the parameters. 




Fig. 1 . Two simulations of the evolution of the blood glucose concentration. In case 1 (thick 
line), typical nonnal values were assumed (p,=0.0044, p 2 =0.04, p 3 =0.0044, p 4 =0.03). In case 2 
(thin line), the values of the parameters p, and p 4 were reduced (p,=0.03, p 4 =0.015). 

Independently from the specific values defined for the parameters, the general 
behaviour of the glucose trajectory (and insulin trajectory as well) oscillates around, 
and eventually converges to, the fasting concentration level. This trajectory is periodic 
with a period T given (in minutes) by: 



JPiPi +P2P4 



(2) 
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A criterion used for diagnosing diabetes is based on the period T (and hence on the 
above relation on the parameters p ). which is increased in diabetic patients. It is 
generally accepted that a value for T higher than 4 hours is an indicator of diabetes, 
otherwise normalcy is concluded. 

Summarising, the decision problem (for the diagnosis of diabetes) is based on: 

i) a parametric ordinary differential equation to model the glucose/insulin 
concentrations; 

ii) the decision is based on a condition (T < 240) that can be obtained from the 
parameter values; 

iii) the exact parameter values are unknown, but some ranges may be accepted; 

iv) within these ranges different decisions may be taken (the patient is diabetic or not) 

v) some points of the trajectory are known (from the blood tests). 

In practice, for a particular patient, it is necessary to narrow the range of the 
parameters so as to safely evaluate the diagnostic condition. Notice that this 
differential equation has an analytical solution (otherwise it would not be so widely 
used in practice) and is used in this paper for illustration purposes. Nevertheless our 
approach may be used with any models, even with no analytical solutions. 



3. Ordinary Differential Equations and Initial Value Problems 

An Ordinary Differential Equation (ODE) defines the derivative of u (a vector) with 
respect to variable t by means of a function of t and u[5] : 

— = /(/, ( 3 ) 

dt 

Equations with higher order derivatives on the same variable (t) can be transformed 
into an ODE by including new variables (one for each higher order derivative). Given 
an ODE and a value for u at a given t 0 , the initial value problem (1VP) aims at 
determining the value of u for other values of t (u(t) is called the trajectory). 



3.1. Traditional Approaches 



Classical numerical approaches to this problem try to approximate the trajectory u(t) 
at some discrete points of t (t„ t 2 , ..., t n ). This is achieved by considering each t in an 
increasing sequence and using the approximated values of the trajectory in the 
previous points to calculate the approximated value of the trajectory in the next point. 
Each of the n steps of this approximation process is based on a traditional numerical 
method of approximation (Taylor, Runge Kutta, etc) where the error term is truncated 
(Equation 4 show the Taylor method of order k). 



u(*i ) = u(f 0 ) +£!_, 



t=*-l (WoV f (M) (t o? U (t 0 )) + ^ ^ f < k -» (£) 



ll 



k\ 



(4) 
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The fundamental problem with these approaches is the error introduced at every 
step of the procedure due to the truncation of the error term (the last term of Eq. 4) 
and to the floating point arithmetic round-off. Even if these errors are small in each 
step, the cumulative effect over the n steps usually makes the approximated trajectory 
to depart significantly from the correct trajectory. 

In contrast, validated methods are able to verify the existence of a unique solution 
to the problem and to produce guaranteed error bounds for the true trajectory. 



3.2. Validated Interval Arithmetic Approaches 

The first validated approaches to ODEs originated from the interval arithmetic 
framework introduced by Moore [6], The key idea is the use of interval arithmetic to 
calculate each approximation step explicitly taking into account the error term within 
appropriate interval bounds. Truncation and round-off errors are thus encapsulated 
within bounds of uncertainty around the true trajectory. 

In validated approaches each step (between two consecutive points t and t) consists 
of two phases. In a first phase, it is necessary to validate the existence of a unique 
solution and to calculate an a priori enclosure of the true trajectory between the two 
points (this is required to bind the error term in the next phase). Usually this phase 
uses the Picard operator (see Section 5). In the second phase a tighter enclosure of the 
trajectory at point t. is obtained through interval arithmetic over a chosen numerical 
approximation step (as the one presented in Eq. 4) with the error term bounded as a 
result of the a priori enclosure found in the previous phase. 

The relative unpopularity of the direct application of interval methods to ODE 
problems derives from the additional computational work required and, in many early 
approaches, to the insufficient tightness produced on the trajectory bounds. 
Nevertheless, some widely used software was developed using the above ideas, 
namely Lohner’s AWA program [7] and the Nedialkov’s VNODE package [8], 

To overcome the above difficulties, research has been carried out to take advantage 
of the efficiency and soundness of constraint techniques. 

3.3. Validated Interval Constraint Approaches 

The application of the interval constraints framework (introduced by Cleary [9]) for 
validated ODE solving was suggested by Older [10] and Hickey [11]. The idea is to 
represent a problem by a constraint network whose nodes are the trajectory values on 
the discrete points of t, and imposing constraints on them according to the 
approximation step (as in the interval arithmetic approaches). The goal is not only to 
improve efficiency (compared to the interval arithmetic approaches) but also to 
improve in terms of the generality of a constraint approach. Not only can IVPs be 
solved, but also any additional information (e.g. final or intermediate trajectory 
values) may propagate throughout the constraint network, preserving validated 
approximations on each trajectory point. 

These constraint approaches are theoretically equivalent to the previous interval 
approaches (requiring as well a first phase -for error bounding- and a second phase 
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-for a tighter enclosure- in each approximation step) but benefit from the propagation 
technology developed for the constraint framework. 

Early proposals [ 1 0] [ 1 1], assumed an a priori enclosure for the whole trajectory, 
requiring only the second phase of the approximation step. More recently, Deville et al 
[1] defined a general approach where consistency techniques handle the main 
problems of the interval methods. For example, the wrapping effect (the error 
resulting from propagating at each step an entire box that encloses a smaller region) is 
reduced by piecewise interval extension (instead of entire box extension), expressed as 
unconstrained optimisation (a well known problem in the constraint community). 



4. Differential Equations in the Context of Decision Support 

If ODEs are considered in the context of decision support, the determination of the 
trajectory is no longer the only (main) goal, and this has to be considered together with 
other constraints of the decision model. Moreover, most models include parameters 
within the ODE definition, possibly common to other constraints. 

Within this context, the whole ODE is just another constraint of the model relating 
several variables that can be either trajectory point values or parameters. The main 
goal of the constraint system is to reduce the bounds of all model variables to 
eliminate values which can be proved inconsistent with the constraint set. 

The main difficulty with parametric ODEs is that parameter uncertainty can be 
quickly propagated and increased along the whole trajectory. Note that even perfect 
approximation methods may not solve this uncertainty (of course, less precise methods 
will give worst results). Most ODEs present such behaviour (unless they are 
contracting) and in the extreme case of chaotic ODEs any uncertainty, however small, 
is quickly magnified, preventing any reasonable, long-term, trajectory calculation. 

Several partial consistency definitions and algorithms have been proposed to prune 
the domains of real variables in constraint systems (Collavizza et al [3] characterised 
the general properties of the filtering achieved by such types of partial consistency). 
However parametric ODEs introduce extra difficulties which challenge the quality of 
the filtering achieved by these different consistency types. 



4.1. Partial Consistencies over Parametric ODEs 

The two main partial consistencies used for solving non linear constraints over real 
variables are hull-consistency [12] (or 2B-consistency) and box-consistency [13]. 
These are approximations of arc-consistency, widely used in finite domains. 
Arc-consistency eliminates a value from a variable domain if it has no support, i.e. if 
no compatible value exists in the domain of another variable sharing the same 
constraint. In continuous (i.e. infinite) domains this kind of enumeration is no longer 
possible and both hull and box-consistency assume that the domains of the variables 
are convex, so they simply aim at tightening their outer bounds. If the correct domains 
are disjunctive they both admit inconsistencies within the outer limits and some kind 
of higher level algorithm is needed to prune further the solution set (to eliminate 
wrong solutions). 

The key idea behind hull-consistency is to check arc-consistency only at the bounds 
of the variable domains. This means that if a variable is instantiated with the value of 
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one of its bounds then, for each constraint on that variable, there must be a consistent 
instantiation of the other constraint variables. As it is very difficult to check this 
property for complex constraints, the algorithms that impose hull-consistency 
decompose the original constraint system into a set of basic primitive constraints, with 
the addition of extra variables, for which this property can be easily checked locally. 

The major drawback of this decomposition approach is the worsening of the 
locality problem. The existence of intervals for the variables that satisfy (locally) each 
of the constraints does not necessarily mean that they satisfy simultaneously all of 
them. When a complex constraint is subdivided into primitive constraints this will 
only worsen this problem due to the addition of new variables and the increased 
complexity of the constraint network. 

In parametric ODEs, this local hull-consistency achieves, in general, poor filtering. 
On the one hand the potential benefit from using more complex constraints at each 
step is largely eliminated by the increase of complexity on the constraint caused by the 
decomposition of these constraints into basic ones. On the other hand, if more 
intermediate points are considered, the constraint network becomes more complex and 
worsens the locality problems. 

Box-consistency checks the consistency of each bound of the domain of each 
variable with the domains of the others. The motivation of this approach is that after 
substituting all but one variables by their domains, the problem of binding the 
remaining variable can be tackled by numerical methods, in particular a combination 
of interval Newton iterates and bisection [13]. The main advantage of this approach is 
that each constraint can be manipulated as a whole, not requiring the decomposition 
into primitive constraints, thus preventing the amplification of the locality problem. 

Nevertheless, box-consistency is still inappropriate for dealing with parametric 
ODEs. The reason is that if there are several uncertain parameters, the algorithm to 
enforce box-consistency will try to tighten the bounds of each parameter substituting 
the other parameters by their domains. Hence, it is still necessary to work with a 
parametric ODE (though with one less parameter). Since for these parametric ODEs a 
wide range of trajectories is usually possible, it is rare to obtain inconsistencies 
required for domain reduction (see Section 6 for an example). 

What seems to be needed to deal with parametric ODE problems is the 
simultaneous instantiation of all parameters (similarly to the consistency checking in 
the hull-consistency approach) and manipulation of the ODE constraint network as a 
single global constraint (similarly to the manipulation of each constraint as a whole in 
box-consistency). 

4.2. Global Hull-Consistency over Parametric ODEs 

In order to achieve a good filtering for the domains of the parameters appearing in an 
ODE, we propose an algorithm to guarantee hull-consistency on the parametric ODE 
as a single global constraint. The algorithm is based on two simple assumptions 
(derived from the properties of parametric ODEs): i) to conclude consistency it is 
necessary to find a solution; ii) to conclude inconsistency it is enough to fail a 
consistency check with uncertain domains. 

The high level functioning of the algorithm is sketched in pseudo-code in Figure 2. 
The input is the set of the initial parameter domains. The output is a boolean denoting 
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whether the problem is consistent and, if consistent, the narrowing of the parameter 
domains according to the global hull-consistency. To obtain these results, and while no 
inconsistency has been detected, each parameter domain (D, = [D...D,]) is processed 
by specialised functions (shrink_left and shrink_right) that compute the leftmost (lb,) 
and rightmost (rtr) value of each parameter domain that belong to some instantiated 
solution, thus imposing hull-consistency on each bound. Inconsistency is detected by 
these functions and interrupts the while loop. 

function global_hull_consistency( in {D„...,D n }, out {D 1 ’,...,D n ’}): boolean 
consistent 4— true 
i 4 — 1 

while i < n and consistent do 

if shrink_left(i, {D,’,..., D,’, Dj , D i+1 ...,D n },lb;) then 
rD s 4- [lb,.D;] 

if shrink_right(i, {D,’,..., D,.,’, rD( , D i+1 ...,D n },rbj) 
then Dj’ <— [lb^.rbj 
else consistent 4— false 
else consistent 4— false 
i 4— i+1 
endwhile 

global hull consistency 4— consistent 



Fig. 2. The global hull-consistency algorithm. 

Note that this procedure is similar to the narrowing method used by Newton [13] to 
guarantee box-consistency, although it requires no fix point algorithm. The reason is 
that, after narrowing each variable domain, each one of the new bounds appear in one 
solution and so, whatever filtering is done in the remaining variable domains, it will 
never delete the values that supported those bounds. 

Function shrink_left is described in Fig. 3 (a symmetric approach is used for 
shrinking the right bound). The algorithm first tries to find an instantiated solution s i 
for parameter i. If it fails, there is no possible solution within the range of D r If it 
succeeds it recursively tries to find one leftmost value within the sub-range [D/..SJ 
(upper bounded by the solution value already found). If there is a new leftmost value 
in this sub-range then it is also the leftmost of the original range, otherwise the already 
found solution value is the value returned by the function. 

function shrink_left( in i, in {D l ,...,D n }, out lfy): boolean 
if solution(i, {D p . . . ,D n },s r ) then 
ir 4- |i),..s| 

if shrink_left(i, {D p . . ., D ip Df, D i+1 ...,D n },b,) 
then lb i 4— b, 
else lb, 4— S; 
shrink_left 4— true 
else shrink left 4— false 



Fig. 3. The algorithm used to narrow the left bound of a variable domain. 
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Notice that the above algorithm always converges because in each recursion step 
the range considered to look for a leftmost value is narrowed and there is a machine 
limitation for the representation of real numbers, or fails when there are no solutions. 
Moreover, if it succeeds, then a solution has been found (with the value lb i for the 
parameter i) guaranteeing the full consistency of the returned value. Therefore, to 
guarantee that lb i is the leftmost possible value for the parameter i, it is only necessary 
to assure that function solution does not miss any possible solution, i.e. it will only fail 
in case of inconsistency. 

Function solution, shown in Fig. 4, meets this condition and is in accordance with 
the two assumptions presented in the beginning of this section. It first tries to prove 
inconsistency by checking the consistency with the actual parameter ranges. If an 
inconsistency is detected than it fails immediately, otherwise it tries to guess a 
possible solution by instantiating all domains with their mid values and checking 
consistency again. If a solution is found then the value of the parameter i is returned, 
otherwise it is necessary to continue the search. The whole search space will be split in 
two and the search for a solution will be performed recursively in each subdivision (of 
course, once a solution is found, the algorithm stops). In order to split the search 
space, one parameter is chosen (the one with the widest domain) and its domain is 
divided into two halves. 

function solution) in i, in {D 1 ,...,D n }, out s f ): boolean 
if consistency_check({D 1 ,...,D n }) 
then for j = 1 to n do D ’ 4- (D j '+D j + )/2 
if consistency_check( {Dj ’ ,. . . ,D n ’ } ) 
then Sj<— D ; ’ 

solution <— true 

else D k <— widest_domain({D p ...,D n }) 
lD k ^[D k ..(D k +D k + )/2] 
if solution (i, {D„ . . . , lD k , . . . ,D n },s) 
then Sj< — s 

solution 4— true 
else rD k f-[(D k +D k + )/2..D k + ] 

if solution (i, {D p . . ., rD k ,. . ,,D n },s) 
then Sj « — s 

solution <— true 
else solution false 
else solution <— false 



Fig. 4. The algorithm for finding a particular solution. 

Again the above algorithm always converges (because in each recursion step the 
search space is reduced and there is a machine limitation for the representation of real 
numbers) or fails (if there are no solutions). However the number of consistency 
checks can be huge (in the worst case it corresponds to analyse every possible 
instantiation in the search space). 

For practical reasons it is better to use a coarser approximation of this global 
hull-consistency enforcing algorithm. As such a minimum width (w) is defined as 
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being sufficient to consider a parameter “instantiated”. With this relaxation the 
algorithm will not split further a search space if all the variable domain widths are less 
than w. 

Although this algorithm was implemented to deal with parametric ODEs (because 
none of the current consistency approaches were able to narrow the domains - see 
Section 6) it is still adequate for any other problem where narrowing the variable 
domains is a key issue. 



5. An Incremental Constraint Approach for Parametric ODEs 

The previous section has shown that dealing with parametric ODEs within a decision 
support context requires the simultaneous instantiation of all the parameters. The 
implications are, in general, a very large number of consistency checks. 

Existing validated approaches were developed with the purpose of solving an ODE 
problem by minimising the uncertainty around the true trajectory. In order to do this, 
as seen in Section 3, the approximated trajectory is calculated in a number of 
intermediate points t , between t 0 and t n , the initial and final points of the trajectory. If 
the purpose is to minimise the uncertainty around the true trajectory, a large number of 
intermediate points should be considered. 

Of course there is a price to pay in computation time, dramatically magnified if a 
large number of consistency checks are requested. Notice that the sequential process 
of calculating the trajectory approximation prevents any attempt to derive conclusions 
about the trajectory value of the final point without first considering all the 
intermediate points. The above static sequential approach may spend too much effort 
in looking for precision when a less accurate result could be sufficient to detect 
inconsistency. Much of the consistency checks required by the algorithm of the 
previous section do not require such high precision and can be done with a variable 
number of intermediate points. 

Therefore we propose an alternative dynamic approach where the interval 
approximation of the whole trajectory is done incrementally. The main idea is that, 
being impossible to decide, a priori, how many intermediate points are necessary to 
check consistency, the least number possible is attempted first, to avoid unnecessary 
time costs. 

Therefore it is essential to link as soon as possible the initial point of the trajectory 
with the final point to obtain a first, possibly very imprecise, interval approximation of 
the true trajectory. Without this connection, consistency cannot be checked. If such 
first trajectory does not allow a decision regarding the existence (or not) of a 
consistent solution then new intermediate points are added together with the associated 
constraints (corresponding to the approximation step). These will eventually narrow, 
through propagation, the bounds of the trajectory. The uncertainty about the trajectory 
is thus incrementally reduced, allowing the algorithm to stop whenever a consistency 
check is solved (or, as we will see below, there is a reason to believe that it can never 
be solved due to the uncertainty of the parameters). 

The incremental approach we propose consists of two parts: firstly, the initial point 
is linked with the final point of the trajectory; secondly, the trajectory uncertainty is 
incrementally reduced. 
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5.1. Linking the Initial with the Final Point of the Trajectory 



The underlying goal of the algorithm is to consider the less possible number of 
intermediate points. The ideal would be to link directly the initial with the final point 
without considering any intermediate point. So, this direct connection is tried first. 

As seen in Section 3.2, the process of linking any two points (by a validated 
method) involves a first phase to bind the error term that is used in a second 
approximation phase. The strategy used in the first phase is normally based on the 
Picard operator (<t>) in the following way: 

Let u’=f(t,u) be an ODE system 

Let t; be the initial point, t r the final point and h = t f — t,; 

Let box D, be the uncertainty bounding box of the trajectory at point t ( ; 

Let F be the interval extension of f; 

If it is possible to find some box B with D, <z B and such that: 

®(B) = DT^hjFay^B) and <D(B) c B (5) 



Then: there is a unique solution (between t and t f ) for the system with u(t;) e D l 

®(B) is a bounding box for the trajectory between the two points. 

The traditional procedure now is to try different guesses for the box B and/or to 
consider smaller steps to reduce h. Notice that by reducing h, it is always possible to 
guarantee the condition (5) for any box B. In sequential approaches the step 
considered is usually small, and B is easily obtained. However, in our approach we are 
trying large steps and so, convergence is not guaranteed. 

Our algorithm thus starts with an initial guess B 0 for box B and checks condition 
(5). If it is verified, it tries to narrow further the first guess by making B = ®(B 0 ) as a 
new guess for B, and this process is repeated till a fix point is reached. Otherwise, if 
condition (5) is false, the algorithm concludes that the step is too big and tries a 
smaller one (half the size of the current step). 

Using the above algorithm the trajectory is bounded between t 0 and an intermediate 
point t, that is as close as possible (using this method) to the final point. Subsequently, 
in the second phase, a better enclosing for the value of the trajectory at the 
intermediate point (u(t, ) e D,) is obtained by the constraint below corresponding to 
the Taylor approximation step of order k (we used k=4) between the two points with 
the bounded error term: 



_ _ yr^i=k 

A = A +S i= i 



A— 1 A t 0 ) 



ii 



F ,M) (to,A) + 



A ~to) k 

k\ 



F <k l) ([t 0 ,t, ]0(B)) (6) 



The complete connection with the final point is obtained applying recursively the 
above algorithm each time trying to link directly the last intermediate point to the final 
point. 



5.2. Reducing the Trajectory Uncertainty 

Once connected the initial with the final point of the trajectory a first consistency 
check is performed. Let C f be a box representing the values of the trajectory at the 
final point whose consistency is being checked and let D f be the calculated box for the 
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approximated trajectory value at that same point. The consistency check problem is 
already decidable if D r n C f = 0 (it is inconsistent) or if D r c C f (it is consistent). 
Otherwise no conclusions can be made, and a further refinement of the trajectory 
approximation is needed. 

At this stage, the algorithm will incrementally consider new intermediate points 
until a stopping criteria is satisfied. This is a three step process: firstly it chooses 
where to introduce the new point; secondly it adds the constraints relating the new 
point with the already considered points; and finally it verifies the stopping criteria. 



Choosing a new intermediate point. The new intermediate point should be placed so 
as to obtain the best refinement of the trajectory approximation. Unfortunately, it is 
not possible to predict the overall refinement, and a heuristic choice must be used. We 
have tried several heuristics (only mid points of existing intervals are considered) and 
the two most promising were: 

a) the mid point between the two most distant adjacent points already considered; 

b) the mid point between the two adjacent points already considered where the 
trajectory uncertainty between them had increased the most. 



Adding the constraints for the new point. Once chosen a new intermediate point t k 
to consider between t and t, the constraints associated with the approximation step (X) 
must be added, first to link t and t k , and then to link t k and t . In order to do it, new a 
priori enclosure bounds should be calculated (as described in 5.1) between t and t k and 
between t k and t. After adding these constraints the refinement of the trajectory 
approximation is achieved through constraint propagation. 

The stopping criteria. The stopping criteria must evaluate whether it is worth 
considering further intermediate points for the refinement of the trajectory 
approximation when the consistency checking problem has not been already decided. 
Two cases must be considered: 

a) either the uncertainty on the parameters will not allow any conclusion, even with 
a “perfect” approximation method; or 

b) A conclusion on consistency can be obtained if the approximation is refined. 

Clearly, in the first case the algorithm should stop and in the second case it should 
go on. However, it is difficult to decide which is the present case. 

The heuristic we have used is based on the improvement (A) achieved in the last 
iteration, i.e. the difference between the uncertainty before and after considering the 
last intermediate point. It also measures how far way is the current approximation 
from a possible decision. This distance (8) is obtained by examining the decision 
requirements (D f n C, . = 0 and D f <z C f ) and calculating the minimum uncertainty 
improvement that is necessary for D, to verify one of them. 

Assuming that in the next iterations the uncertainty improvement will be the same 
as the last one (A) then it will be necessary at least 8/A new points to reach a 
conclusion. So, the stopping criteria is as follows: if the number of already considered 
points plus the 8/A new points exceeds a predefined threshold then it stops; otherwise 
it continues. 
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6. Results 

To illustrate the possibilities of our proposed approach we have used it to support the 
diagnosis of diabetes based on the model presented in Section 2. On arrival to the 
hospital two patients ingested a large amount of glucose. Table 1 shows the results of 
the blood exams performed during the first 3 hours of the test. 



Table 1 . The glucose and insulin blood concentrations measurements during a glucose tolerance 
test perfonned in two patients (deviations from the fasting level concentrations). 





after ingestion 


1 hour later 


2 hours later 


3 hours later 


Patient 1 


g=80;h=0 


g=-29.7;h=46.4 


g=-24.8;h=-34.5 


g=35.8;h=-1.5 


Patient 2 


g=80;h=0 


g=18.1;h=41.4 


g=-38.8;h=18.6 


g=-28.0;h=-15.9 



Based on this data and assuming that the acceptable bounds for the parameter 
values are +/- 50% of the typical normal values (p=0.0044, p 2 =0.04, p 3 =0.0044, 
p 4 =0.03) it is necessary to decide if the patients are diabetic or normal. We would like 
to narrow the range of the parameters accordingly to the available data (through 
constraint propagation) so as to be able to make a safe decision. 

The values of Table 1 were artificially chosen to coincide with the simulations of 
Section 2. Hence, perfect constraint propagation from this data on equations (1) and 
(2) would establish period T =179.9 for patient 1 and T 2 =289.9 for patient 2, thus 
implying that the first patient is normal and the second diabetic. Nonetheless, such 
conclusion could not be reached with the usual consistency enforcing techniques, 
namely, local hull-consistency and box-consistency. 

To enforce local hull-consistency a constraint network was defined for the validated 
approximation of the trajectory of the parametric ODE (as explained in sections 3 and 
5) and the information about the observed trajectory values was added. This was 
implemented in the constraint programming language DECLIC [14] which allows the 
definition of interval constraints and offers a propagation mechanism for enforcing 
hull-consistency (and box-consistency as well) on each individual constraint. After 
propagation, the ranges of the parameter domains remained exactly the same, and so 
this consistency requirement was not sufficient to solve the problem. 

To check whether a global box-consistency strategy would achieve any pruning, we 
have checked whether the original domains for the parameters were already 
box-consistent. To do this, we checked the consistency of both bounds of the domain 
of each variable with the domains of the other variables (see Section 4.1). As there are 
4 parameters, 8 bounds were checked for box-consistency, i.e. we computed the 
trajectory obtained by instantiating each bound (one at a time) and verified whether it 
included the observed trajectory values. Table 2 shows the trajectory values, at minute 
60, obtained for each bound instantiation, which clearly include the observed values 
for both patients (similar results were obtained for the other observed trajectory 
values). Therefore, no pruning on the model parameters could be achieved by 
box-consistency alone (nor could the patients be diagnosed). 
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Table 2. Trajectory values at minute 60 calculated for each parameter bound instantiation. The 
observed values were: g=-29.7 and h=46.4 for patient 1; g= 18.1 and h=41.4 for patient 2. 



P,=P,' ■-»(g=r-238..931;h=r-112..1761) 


P,=P, -» (g=r-209..791;h=r-104„1561) 


p=p,--Kg=r-142..471;h=r 14.. 1651) 


P= P ; (g=r-204..751;h=r-104..1411) 


p=p;^(g=r-243..971;h=r-117..1761) 


P =P/ -> (g=r-220..931;h=r-104..1561) 


p = P ; -4 (g=r -42. .48] ;h=F 21.. 551) 


P/=p/-KR=r-203..481;h=r -75..1331) 



Enforcing global hull-consistency with our proposed approach we obtained the 
bounds for the model parameters shown in Tables 3 and 4. Table 3 shows the 
narrowing of the parameter domains obtained by considering the trajectory values 
observed at minute 60 for both patients. 



Table 3. First pruning of the parameter domains. 





Initial 

domains 


Patient 1 

g=-29.7 and h=46.4 


Patient 2 

g= 18.1 and h=41.4 


P, 


[0.0022. .0.00661 


[0.0022. .0.00661 


[0.0022. .0.00661 


P, 


[0.0200.. 0.06001 


[0.0324. .0.04901 


[0.0238. .0.03601 


P, 


[0.0022. .0.00661 


[0.0022. .0.00661 


[0.0028. .0.00661 


P 4 


[0.0150.. 0.04501 


[0.0222. .0.0415] 


[0.0150.. 0.01791 


T 


[119.9.. 359.91 


[137. 8. .233. 5] 


[239.5. .329.81 


Decision 


Unknown 


Normal ?? 


Diabetic ?? 



The pruning obtained after this propagation is already enough to decide the right 
diagnosis for each patient (i.e. whether T < 240). However, if a more precise 
evaluation of the decision variable is needed (as some of the bounds of T were 
"borderline") then, another observed trajectory value may also be considered. Table 4 
shows the results obtained adding the observations at minute 120. 



Table 4. Final pruning obtained after the first two observations. 





Patient 1 

g=-24.8 and h=-34.5 


Patient 2 

g=-38.8 and h=18.6 


P, 


[0.0022. .0.00661 


[0.0022. .0.00661 


P* 


[0.0324.. 0.04901 


[0.0273. .0.03191 


Pi 




[0.0028. .0.00521 


P 4 


[0.0258. .0.03411 


[0.0150. .0.01791 


T 


[151.7. .216. 71 


[255.3. .308.21 


Decision 


Normal !! 


Diabetic! ! 



After considering the observations made on the two first hours of the glucose tolerance 
test, and using our global hull-consistent enforcing algorithm on the patient model, we 
could reach clear diagnoses: patient 1 is normal and patient 2 diabetic. 
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7. Conclusions 

This paper addressed the application of interval constraints to problems involving 
parametric ODEs. The motivation is the need in many decision support applications 
(e.g. in medicine, economics or engineering) to narrow the possible ranges of the 
parameters of such ODEs in order to make safe decisions. Current analytical 
approaches are not adequate because many systems have no analytical solutions; 
traditional numerical simulation methods are also inadequate since they cannot 
provide safe ranges for the model parameters. 

Although ODEs have been recently handled by constraint techniques, research done 
so far has focussed on the precision of the trajectories of such systems. Of course, 
such precision cannot be very accurate if the parameters of an ODE are also known 
with little precision. Because of their different focus, these approaches are not able to 
narrow the ODEs parameters, given some experimental or observed data, in order to 
fit a parametric ODE model with these observations. 

Therefore we proposed in this paper a new consistency type, global hull- 
consistency and described an algorithm to enforce it. This algorithm is improved by 
the use of an incremental approach to compute trajectories. 

We illustrate our method with a problem from the medical domain (diagnosis of 
diabetes). We show that the usual consistency techniques are not useful for the 
problem in hand and show how our approach correctly diagnoses the patients. 

Being a preliminary implementation, we anticipate that further work is required to 
improve our current implementation. Moreover, we intend to study a more formal 
characterisation of the new consistency type that we have proposed. The results 
obtained so far demonstrate the need to improve on the current types of consistency 
checking in the interval domain, and we are confident that our proposal may be 
considered as a promising starting point. 
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Abstract. We discuss a pragmatic approach to integrate computer alge- 
bra into proof planning. It is based on the idea to separate computation 
and verification and can thereby exploit the fact that many elaborate 
symbolic computations are trivially checked. In proof planning the sepa- 
ration is realized by using a powerful computer algebra system during 
the planning process to do non-trivial symbolic computations. Results of 
these computations are checked during the refinement of a proof plan to 
a calculus level proof using a small, self-implemented system that gives 
us protocol information on its calculation. This protocol can be easily 
expanded into a checkable low-level calculus proof ensuring the correctn- 
ess of the computation. We demonstrate our approach with the concrete 
implementation in the flMEGA system. 



1 Introduction 

In recent years there have been many attempts combining computer algebra 
systems (CAS) and deduction systems (DS), either for the purpose of enhancing 
the computational power of the DS [17, 18, 3] or in order to strengthen the 
reasoning capabilities of a CAS [1, 4], For the former integration there exist 
basically three approaches: (1) to fully trust the CAS, (2) to use the CAS as an 
oracle and to try to reconstruct the proof in the DS with purely logical inferences, 
and (3) to generate protocol output during a CAS calculation and to use this 
protocol to verify the computation. Following approach (1) one cannot guarantee 
the correctness of the proof in the DS any longer. While the correctness is no issue 
in approach (2) it foregoes the efficiency of a CAS and replay the computation 
with purely logical reasoning might still impose a hard task to the DS. (3) is a 
compromise, where one can employ the computational strength of a CAS and 
additionally gain important hints easing the reconstruction and checking of the 
computation. 

We have, indeed, successfully experimented with idea (3) by implementing a 
prototypical CAS (fiCAS) that is a small library of simple polynomial algorithms 
which give us protocol information on their computations [18, 23]. This protocol 
information is used to derive abstract proof plans that can be transformed into 
proofs of the flMEGA system [16]. Exploiting Iomega's ability of step-by-step 
expansions of proof plans into natural deduction (ND) calculus proofs [13], the 
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computations can be machine-checked on a fine-grained calculus level. While this 
way of integrating a computer algebra system into Omega solves the correctness 
issue, it has the drawback that apart from /. iCAS there does not exist a full grown 
CAS that provides us with the necessary protocol output on its calculations. 

In this paper we present a pragmatic approach working around this pro- 
blem in proof planning. It is based on the idea presented in [17] that many 
hard symbolic computations are easy to check. As an example for this thesis 
one may consider symbolic integration, a surely non-trivial computation, whose 
verification is to simply differentiate the result of the integration algorithm. We 
exploit this fact within the proof planning component of Omega: Results of 
non-trivial symbolic computations are used during the proof planning process. 
The verification of these calculations is postponed until a complete proof plan is 
refined to a low level calculus proof and it is arranged in a way, that we can use 
the trivial direction of the verification. This is achieved by using Maple [22] for 
computations during the planning process and /iCAS to aid the verification. The 
technique we present here is already successfully applied in the IOMEGA system 
in the domains of limit theorems and optimization problems. For detailed report 
concerning proof planning limit theorems see [20] and for some earlier work on 
optimization problems see [18]. In this paper we will only be concerned with the 
details of these problems that involve the application of computer algebra. 

The paper is organized as follows: We first give a general overview on proof 
planning and its special features in Omega in the next section. In Sec. 3 we 
present the general architecture of the integration of CAS into Omega and ela- 
borate how the systems Maple and / iCAS are used within the proof planning 
component of Omega in order to achieve our goal of separating non-trivial com- 
putation and easy verification. In Sec. 4 we tackle the problem of how to deal 
with different normal forms of different systems that can arise in our context. In 
Sec. 5 we illustrate our ideas with two examples from the domains of limit theo- 
rems and optimization problems. We finally discuss advantages and drawbacks 
of the presented approach in Sec. 6 before concluding in Sec. 7. 

2 Proof Planning in flMEGA 

The purpose of the Omega system is to provide assistance in the process of 
deriving, presenting and checking proofs in mathematics. It provides several 
means to prove theorems by applying tactics, by using external reasoners ■ 
such as automated theorem provers or CAS or by automatically planning 
proofs with the help of a proof planner. Omega’s basic logic is a variant of the 
natural deduction (ND) calculus [13] based on a higher order A-calculus [8]. As 
Omega neither makes correctness assumptions about the incorporated external 
reasoners nor about tactics or planning methods a user specifies, it requires 
that proofs are finally checked in the basic calculus to ensure correctness. Thus, 
although proofs can be both constructed (either interactively or automatically) 
and represented on more abstract levels, Omega accepts a proof to be valid, 
only, if it can be successfully expanded into a proof object whose derivations are 
in the basic ND calculus that can be machine checked. 
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Omega’s proof planner is designed to automatically plan proofs on an ab- 
stract level by constructing a sequence of methods that represents an abstract 
derivation for a given theorem from a set of assumptions. Methods are (par- 
tial) specifications of tactics [5] known from tactical theorem proving [15]. In 
Omega planning methods are declaratively represented in frame-like structures 
consisting of four major slots (two instances of methods are given in Sec. 5): 
Premises and Conclusions are sets of sequents where the method serves to logi- 
cally derive the conclusions from the premises. Single sequents can be annotated 
in STRIPS-style with $ or 0 (cf. [10]) specifying whether a sequent is added to 
or removed from the planning state by the method application. In particular, 
a conclusion annotated with 0 is a goal that is closed by the method and a 
premise annotated with 0 represents a new open subgoal that will have to be 
proved after the application of the method. 

Proof Schema is a schematic specification of the sub-proof the method abbre- 
viates. The schemas of premise and conclusion sequents are used to be matched 
with actual formulas in a proof in order to determine the method’s applicability. 
Moreover, the proof schema can contain lines that are introduced into the proof 
only when the application of the method is refined by expansion. 

Application Conditions are constraints on the particular instantiations of the 
parameters of a method that have been introduced by matching of the proof 
schema. A method is applicable with an instantiation I of parameters if and only 
if for I none of the application conditions evaluates to false. Thus, application 
condition can either fail or return some values which can be bound to additional 
method parameters. This offers a platform to execute arbitrary functions, e.g., 
calls to external reasoners. 

Once a proof plan has been found in Omega, it has to be refined by expanding 
it to a ND calculus-level proof to gain a proof object which can be checked 
in order to ensure its validity. This expansion is a recursive process, i.e., the 
expansion of a planning method or an abstract tactic yields a subproof which can 
again contain abstract proof steps that can be expanded further. The expansion 
is generally not carried out immediately but postponed until a full proof plan 
has been found. Yet, as long as a proof step has still an abstract justification, 
i.e., a justification that does not belong to the set of basic ND calculus rules, it 
is considered planned. Iomega's main data structure for storing proofs and proof 
plans — the proof plan data structure, TVS [7] offers facilities to execute 
this expansion as well as to contract expanded subproofs to shorter, abstract 
proofs again. The expansion of abstract proof steps is triggered either manually 
by the user or automatically by the proof checker and executed automatically 
by Iomega. 

3 Integration of Computer Algebra 

In this section we first present the general architecture for the integration of 
computer algebra into flMEGA. For a more detailed introduction see also [18, 23]. 
Then we elaborate our new approach for integrating symbolic computations and 
their verification into proof planning in flMEGA. 
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3.1 Architecture 

The integration of computer algebra into flMEGA is accomplished by the SAPPER 
system [23] which can be seen as a generic interface for connecting one or several 
computer algebra systems (see Figure 1). An incorporated CAS, like Maple [22] 
or fiCAS [23], is treated as a slave to flMEGA which means that only the latter 
can call the former but not vice versa. From the technical point of view, Omega 
and the CASs are independent processes while the interface is a process providing 
a link for communication. Its role is to automate the broadcasting of messages 
by transforming output of one system into data that can be processed by the 
other. 1 The maintenance of processes and passing of messages is managed by 
the MathWeb [11] environment into which Omega is embedded. 

The role of SAPPER in the integration has two distinct aspects: Firstly, ar- 
bitrary CASs can be easily used as black box systems for term rewriting (similar 
to the approaches of [4, 3]) and SAPPER works as a simple bridge between the 
planner and the CASs. Secondly, SAPPER also offers means to use a CAS as a 
proof planner. That is, if the CAS can provide additional information on its com- 
putations, this information is recorded by SAPPER and translated into a sequence 
of tactics that can eventually verify the computation. Since there does not exist 
a state-of-the-art system that provides this information, we use our own /. iCAS 
system, that is a collection of simple algorithms for arithmetic simplification and 
polynomial manipulations including a plan generating mode (cf. [18]). 

The two tasks of a CAS, rewriting and plan generation, are mirrored in the 
interface (cf. Fig. 1) that basically can be divided into two major parts; the trans- 
lator and the plan generator. The former performs syntax translations between 
Omega and a CAS in both directions while the latter only transforms protocol 
output of pCAS to Omega proof plans. Figure 1 also depicts the different uses 
of the two CAS involved: while Maple is connected as a black box system, only, 
pCAS can be used both as black box and as plan generator. 

While the translation part is very common, the plan generator is the actual 
specialty of SAPPER. It provides the machinery for the proof plan extraction from 
the specialized algorithms in pCAS. These are equipped with a proof plan gene- 
rating mode that returns information on single steps of the computation within 
the algorithms. The output produced by the execution of a particular algorithm 
is recorded by the plan generator which converts it, according to additional 
information on the proof, into a proof plan. In order to produce meaningful in- 
formation pCAS needs to have a certain knowledge about the proof methods 
and tactics available to fiMEGA in its knowledge base. Thus references to logical 
objects (methods, tactics, theorems, or definitions) of the knowledge base are 
compiled a priori into the algebraic algorithms for documenting their calculati- 
ons. sapper’s plan generator uses produced protocol output to lookup tactics 
and theorems of an flMEGA theory (cf. Figure 1) in order to assemble a valid 
proof plan. How algorithms in pCAS have to be expanded and how the plan 
generation is performed is illustrated in Sec. 3.3. 



1 This is an adaptation of the general approach on combining systems in [9], 
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Fig. 1 . Interface between IOMEGA and computer algebra systems 

3.2 Integration into Proof Planning 

When integrating computer algebra into proof planning we have to keep in mind 
that all plans have to be expandable to ND calculus proofs. However, using a 
system whose computations are checkable, like ^ iCAS , restrict us to the use of 
its rather simple algorithms which might not always be sufficient for the task 
at hand. What we really would like, is to combine the computational power of 
a CAS like Maple to perform non-trivial computations with the verification 
strength of /. iCAS , i.e., simple arithmetic. 

Therefore, we try to exploit as much as possible the fact that many difficult 
symbolic computations are easy to verify. This is folklore in mathematics and 
has already been elaborated in [17]; the most prominent example for this is cer- 
tainly symbolic integration which is still a hard task for many CASs. Results 
of symbolic integration algorithms are, however, easily checked, since it involves 
to differentiate the result and compare it with the original function, only. Other 
examples are computation of roots of functions or factorization of polynomi- 
als, which involve non-trivial algorithms, but the verification of the results only 
involves straight-forward arithmetic. 

The separation of computation and verification can be easily achieved wit- 
hin proof planning: During the planning process the applicability of a method is 
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(addition (a+c b+d) 

(cond ((not (monomial a)) 

(addition (addition (simplify a) c) b+d)) 
( (not (monomial b) ) 

(addition a+c (addition (simplify b) d))) 

( (a — lex 6) 

(tactic "mono-add") 

((add a b) + (addition c d) ) ) 

( ( <1 *^lex 6 ) 

(tactic "pop-first") 

(a + (addition c b+d))) 

( (a lex 6) 

(tactic "pop-second") 

(b + (addition a+c d))))) 



Fig. 2. Polynomial addition in /. iCAS . 



solely determined by matching and checking the application conditions. As men- 
tioned earlier, the latter can be used to execute arbitrary functions, therefore 
we can also implement conditions that call Maple and in case useful results are 
returned, bind these to some method parameters. During the planning process 
we are not concerned with the verification of the computation, and postpone 
it until the method is actually expanded. This is done by stating a rewriting 
step that is justified by the application of a CAS within the proof schema of the 
method, preferably in those lines that are introduced during the expansion of 
the method. 

Thus, we design our planning methods in a way that Maple is called in one 
of the application conditions to perform the difficult computations during the 
planning process. The proof schema then contains the appropriate proof steps 
that enable the application of /-iCAS to verify Maple’s computation during the 
refinement of a proof plan, in the easier direction. 



3.3 Verification of Computations 

To implement a plan generating mode is a simple task for simple CAS algo- 
rithms. Figure 2 shows the simplified version of the recursive addition algorithm 
in / iCAS's arithmetic simplification module in a Lisp-like pseudo-code. f-iCAS 
works with polynomial-like representation of given terms together with a lexico- 
graphic monomial ordering. Thus the simplification algorithm of fiCAS always 
transforms terms into lexicographically ordered polynomials and in case of ra- 
tional functions into a fraction of two polynomials. 

The algorithm in Fig. 2 is basically a case split where the first two cases 
ensure that the arguments are in some normalized form. The last three cases 
then take care of correctly adding the two argument polynomials. The predica- 
tes =i e x, <iexi and >iex correspond to comparison of monomials according to 
the lexicographical term-ordering in f^iCAS. The protocol output of the tactic 
function corresponds to names of tactics that are known to Omega and from 
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which a proof plan can be assembled. This proof plan can be inserted into the 
given proof and further expanded using Hmega’s tactic expansion mechanism. 
Note, that such a proof plan only serves to verify the correctness of the result 
of one run of the algorithm and cannot be used to verify the correctness of the 
entire algorithm. 

Still, the verification of a single computation is not totally trivial, since it 
involves to have the appropriate algorithm available in p iCAS , to extend this 
algorithm with a proof plan generating mode, and maybe to write some of the 
tactics for Omega that correspond to those in the algorithm. However, as we are 
mainly concerned with verifications involving arithmetic, the latter task should 
diminish over time, since many of the tactics involved can be reused. 

1 -iCAS could also be viewed as a collection of elaborate tactics for Omega. 
However, it is implemented as an independent system (in Common Lisp) and 
can be used like a regular CAS, even though with very limited power, only. 



4 Dealing with Normal Forms 



When using Maple for a computation within some method and fiCAS to verify 
Maple’s result we might have problems identifying the term resulting from 
/u-CAS 1 s computation with the original term Maple was applied to. Thus, we 
have to take care of the problem of distinct normal forms of the systems involved 
during the expansion of a computation. 2 

Let $ o be the original term in the proof, while <£ Maple denotes the term which 
results from applying Maple to <Pq, and let Q^cas be the term returned by 
/iCAS applied to ^ M aple- Furthermore, let (71, . . . ,T n ) be the sequence of tactics 
computed by fiCAS whose application to <£ Maple yields the proof plan (l). 3 

(fi Fi d*' 7 ~ 2 > 'h ('ll 

^Maple r y±r t . . . t ^iiCAS’ V 1 / 



We then have three cases to consider: 

(a) @o and coincide, 

(b) <P 0 and $^ C as are distinct, however occurs at some point during the 
expansion, and 

(c) $o and $„ C as are distinct, and <Pq does not occur during the expansion. 
Case (a) is trivial. Case (b) means that we have some 1 < i < n, such that 






T, 






Ta. 



Ti 



<z>. 



Ti-, 



T n 






fiCAS • 



(2) 



This problem can be easily solved by successively applying the single tactics and 
checking after each application whether the resulting term is already equivalent 

2 The form of Maple’s result may vary even for equivalent arithmetic expressions (in 
two different runs of Maple), depending on the form of the input. For instance, 
Maple’s simplification of x + 2 z + y — z yields x + z + y, while the same computation 
with input x + y + 2z — z would yield x + y + 2 in a different run. 

3 For the sake of clarity, we omit any context the terms might be embedded in, i.e., 
we view the proof plan as rewriting steps of a sub-term of some arbitrary formula. 
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to <Pq. In this case the proof can be concluded directly. The remainder of the 
tactic sequence, i.e. , (7j+i, . . . , T n ) in (2), is discarded. 

Case (c) is less trivial since the produced tactics are not sufficient to fully 
justify the computation and thus we are left with a new proof problem, namely 
to derive the equality of P’^cas and P>o- However, at this point we can make use 
of the lexicographic term ordering of [iCAS: if P^cas and really constitute 
the same arithmetic expression, applying f^iCAS simplification algorithm to <P$ 
will yield P^cas- Note, that this step might not only include trivial reordering 
of a sum but can contain more sophisticated arithmetic. The execution of the 
simplification algorithm will then return a sequence of tactics (Si, . . . , S m ) that 
results in: 






Ti, 



<P' 



r 2 . 



Tn 



P„ 



<Pn 



(3) 



In praxis, we deal with this problem slightly different, since in Hmega’s tactic 
expansion mechanism calls to fj,CAS have to be carried out explicitly by expan- 
ding the according justification, and not implicitly during an expansion itself. 
Thus, we introduce a new subproof for the equality of P^cas and Pq- 



P nCAS — P’vCAS ( — Ref) 

P.cas = P 0 (CAS) 



The first line is an instance of rcflexivity of equality, an axiom of Hmega’s basic 
calculus. The equation of the second line serves then to apply a rule of equality 
substitution (=Subst) to finish the original expansion, resulting in proof plan (4). 



<?Map le <P' 



r 2 . 



Tn 



P„ 



=Subst 



p< i. 



(4) 



In order to completely verify the computation the justification (CAS) above must 
be expanded as well. This results in the second call to [iCAS , yielding a proof 
plan equivalent to the right hand side of (3). 



5 Examples 

We illustrate our approach with two examples of proof planning methods that 
are used in different domains. The first is the Complex-Estimate method that 
is needed for the proof planning of limit theorems; the second is the method 
Polynomial -Root which is employed for solving optimization problems. 

The use of proof planning to solve optimization problems is advancement 
of work already reported on in [18]. However, in [18] we were restricted to the 
use of i^iCAS and therefore could only tackle problems involving polynomials of 
degree at most two, due to lack of sophisticated algorithms for computing roots 
in [iCAS. We are currently experimenting with a set of 30 different problems 
where the proofs of most of them can be planned automatically. 

Proof planning of limit theorems is extensively described in [20] . Besides the 
application of computer algebra it also involves the use of a constraint solver 
in order to fully automate the planning process. However, we are not concer- 
ned with these details here since we will elaborate for neither example how the 
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j Method: Complex-Estimate j 


Premises 


£1, ® £2,© £3, © £4 


Appl. Cond. 


<7 < — GetSubst(a,b) 
k,l < — CAS split [a a ,b) 


Conclusions 


© £7 


Proof 

Schema 


(£1) A 1 - |a| < ei 

(£2) A¥ jfc| < M (OPEN) 

(£3) A h |a CT | < e/ 2 *M (OPEN) 

(£4) A i - j/| < e /2 (OPEN) 

(£5) hb = b (=Ref) 

(£ 6 ) b b = k*a tT + l (CAS £5) 

(£7) A h \b\ < e (fix £ 6 £i£ 2 £ 3 £4) 



Fig. 3 . The Complex-Estimate Method 



complete proof plans are found or look like. Instead, we rather concentrate on 
the application of those methods involving computer algebra. In Omega we can 
currently plan around 20 theorems from the limit domain [19] automatically. 



5.1 The Complex-Estimate Method 

Figure 3 depicts the planning method Complex-Estimate whose purpose is to 
estimate the magnitude of the absolute value of a complex term by estimating 
its simpler factors. The method formalizes the derivation of the conclusion £7 
from the premises L\, £2, £3, and £4. The annotations © indicate that the lines 
L\ and £7 have to be present in the current planning state for the method to 
be applicable, whereas L2 , £3, and £4 will be introduced as new open goals. 

Thus, Complex-Estimate is handled by the planner as follows: If an open 
line in the planning state matches £7 and if an assumption matching £1 is 
available, Complex-Estimate’s parameters a, &, e i,e are instantiated. Then the 
two application conditions are evaluated. The first, GetSubst(a,b ), computes a 
substitution in order to match sub-terms of the expressions a and b. If such a 
substitution exists, it is returned and bound to the parameter a and the next 
application condition, CAS split (a a ,b), is evaluated. Here a a denotes the term 
resulting from the application of the substitution a computed by GetSubst to a. 
CASsplit calls Maple to factorize b. This factorization is done using Maple’s 
functions quo and rem which both employ the Euclidean algorithm where quo 
returns the quotient of a polynomial division (corresponding to k in our method) 
and rem returns the remainder of that division (i.e., I in the method). The two 
functions are called in the following way: quo(fo,a CT , a') and rem (b,a a ,a'). a' 
is a sub-term of a a that functions as the reference variable for the polynomial 
division in quo and rem respectively. Instead of using both Maple functions 
we could have supplied the call of quo with an additional formal parameter to 
store the remainder of the division automatically. However, using rem frees us 
from the requirement to choose the formal parameter distinct from any term 
occurring in both b and a a . 
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If the two application conditions are successfully evaluated, the instantiated 
method is introduced into the partial plan. The goal L-j is removed as planning 
goal, and the new goals L 2 , Lq, and L4 are introduced instead. 

When an application of the method is expanded later on, the complete sub- 
proof given in the proof schema is introduced, i.e., the sequents Lq and Lq are 
newly added to the proof and the justification of Lf is updated. It is then ju- 
stified by (fix Lq L 1 L2 Lq L4), where fix is an abstract justification itself that 
will be expanded during further refinement of the proof plan as well. Lines Lq 
and Lq serve to certify the correctness of the values computed by Maple by 
making this computation explicit. Here the equality of b and k*a a + l is derived 
from the rcflexivity of equality which is an axiom of the underlying calculus. The 
justification of line Lq indicates both that the step has been introduced by the 
application of a CAS and that its expansion can be realized by using gCAS in 
plan generating mode. 

Lq and Lq indicate that for the verification of Maple’s computation it is 
necessary to certify that k * a„ + l can successfully be transformed into b. To 
perform this goal, we must use basic arithmetic, only, instead of the considerably 
harder polynomial division performed by Maple. Thus, we can use /. iCAS's 
simplification component which employs, among others, the algorithm of Fig. 2 . 
For a concrete instance gCAS would return a sequence of tactics indicating 
single computational steps that have been performed inside the computer algebra 
algorithm. This proof plan is then inserted into the proof and further expanded 
to show the correctness of the computation. 

As a concrete example we consider the application of Complex-Estimate in 
the proof of LIM+. LIM+ states that the limit of the sum of two functions is 
the sum of their limits and is formalized by: 

V/.V5.VZ1.V/2. liui /( x) = l\ A lim g(x) = Z 2 — > lim(/(a;) + g(x)) = l\ + Z 2 . 

x—*a x—>a x—>a 

During the proof planning process for LIM+, the assumption A b | f{X\) — Zi| < 
ei is available at some point. Next the goal A b |/(a:) + (g( x) — (l 1 + Z 2 ))| < e 
can be removed by applying the method Complex-Estimate. During matching 
the premise and conclusion lines the method variables a and b are instantiated 
by (g(X- l) — I2) and f(x) + (g(x) — (h + 12)), respectively. When the application 
conditions of Complex-Estimate are evaluated, GetSubst returns [x/X\\ and 
CAS split calls Maple to compute the instantiations k and l. The actual function 
calls passed to Maple are 

quo(/(a;)-|-g(a;)— (Z1-M2) Zi ./(*)) ; rem( f (x)+g{x)-(h+l2) ,f(x)-h ; 

returning 1 and (g(x) — Z 2 ) as results for k and l, respectively. Because quo 
and rem are algorithms dealing with polynomials, only, functional notation is 
abolished in sapper’s translator when Maple is called; e.g., f(x) would be 
translated into /_ x. 

The goal A b | f(x) + g(x) — (h + Z 2 )| < e is then replaced by the new goals 4 
1 . Ab|l|<M, 2 . Ah \f(x) — Zi| < e/ 2 *M, 3 . A b \g{x) - h\ < e/ 2 . 

4 Note, that M is a meta- variable, i.e., a place holder for instantiations of an existen- 
tially quantified variable, that will be instantiated later in the course of planning 
LIM+. It’s actual value is, however, irrelevant to our example. 
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After a complete proof plan has been found for the LIM+ theorem, the plan 
can be refined to a calculus level proof. We elaborate this expansion for the 
Complex-Estimate method, focusing on the steps of the expansion dealing with 
the verification of Maple’s computation: 

fix) + igix) - ih + h)) = fix) + (g{x) - {h + h)) (=Ref) 

fix) + igix) -(h+h)) = ((1 *(f(x)-li)) + (g{x)-l 2 )) (CAS) 

Here the second line is justified by the application of a CAS. In order to obtain a 
pure ND-level proof this line needs to be further expanded. However, since during 
the application of Complex-Estimate the values for l and k were computed by 
Maple, we do not have any additional information for an expansion. To justify 
the computation in more detail we use an algorithm within our g,CAS system 
in plan generation mode that produces a trace output that gives more detailed 
information on single computational steps. Instead of simulating the complex 
algorithm for polynomial division within /iCAS , we simply use an algorithm 
that simplifies the term on the right-hand side of the equation. Thus, f-iCAS 
verifies the result of Maple’s computation with the help of a much simpler 
algorithm. The yielded proof plan consists of a sequence of tactics indicating 
single computational steps of the algorithm. Within the VT>S, the single step 
can be expanded to a plan with higher granularity. The newly introduced proof 
steps are: 



fix) + iigix) - h) - h) 
fix) + iigix) - h) - h) 

fix) + (g(x) - ih+h)) 
fix) + igix) - (h+h)) 
fix) + igix) - (h+h)) 
fix) + igix) - (h+h)) 



fix) + iigix) - h) - h) 


(=Ref) 


fix) + igix) - ih+h)) 


(CAS) 


fix) + igix) - ih+h)) 


(=Ref) 


f ix) + iigix) - h) - h) 


(=Subst) 


iifix) ~ h) + igix) - h)) 


(Pop-Second) 


Hi * if ix)-h)) + igix) -h)) 


(Mult-l-Left) 



The lower four lines correspond to a step-by-step version of the computation as 
one might do it by hand. We can also observe a conflict of normalforms here, as 
described in the preceding section. fiCAS’s simplification algorithm only yields 
f{x) + i(g(x) — h) — h) as a result and thus the upper two lines have to be 
introduced in the proof in order to justifiy the equality substitution (=Subst). 
The new (CAS) justification is expanded with another call to g,CAS. However, we 
want to focus on the expansion of the original proof plan, i.e., of the lower four 
lines. So far the expansion of the original CAS justification has been exclusively 
done by gCAS proof plan generation mode. At this stage f-iCAS cannot provide 
any more details about the computation and the subsequent expansion of the 
next hierarchic level can be achieved without further use of a CAS. Let us for 
instance take a look at the expansion of the (Pop-Second) tactic which basically 



describes the reordering within a sum: 




= fix) + iigix) - h) - h) 


(=Subst) 


■■■ = if ix) + igix) - h)) - h 


( Associativity H ) 


■■■ = if(x) + (-h+gi x)))-h 


( Commutativity j 


■■■ = iifix) -h) + gix))-l 2 


(Associativity., ) 


••• = iifix) -h) + igix) -h)) 


( Associativity j ) 
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Here the tactics named Associativity , and Commutativity, correspond to the 

application of the obvious theorems as a rewrite rule. Now the little subproof 
introduced when expanding (Pop-Second) is already on the level of applications 
of basic laws of arithmetic. These tactics can, however, be expanded even further. 
Expanding, for example, the (Commutativity , ) justification yields: 



Va.Vb.a — b = —b + a (Theorem) 

Vb.g(x)-b = ~b + g(x) (VE g(x)) 

g(x) - h = —h + g(x) (VE h) 

. . . = (f(x) + (g{x) — h)) — I2 (Associativity ) 

• • • = (f ix) + (-li + g(x)) - I2 (=Subst) 

This last expansion step details the application of commutativity of addition as 
rewrite step by deriving the right instance from the theorem of commutativity. 
We can proof check for correctness if the expansion is carried out up to this 
detailed level for the whole proof plan fiCAS computed to justify the computa- 
tion. 5 Provided the proof checker approves and we have correct proofs for all the 
applied theorems in our database, we have successfully verified the particular 
computation which guarantees the correctness of the overall proof. 



5.2 The Polynomial-Root Method 

In general, optimization problems are of the form Opt<(f,I) or Opt> (/,/), 
where / is a cost function consisting of a rational polynomial and some denomi- 
nation, that either has to be minimized or maximized within the rational interval 
I. Thus, the goal is to show that the polynomial part of f has a total maximum 
or minimum within I. Generally / is not directly given but has to be computed 
from a set of given cost functions of economic processes and prices for resour- 
ces. These manipulations are done by methods using /jCAS computations. The 
calculation of extrema and subsequently of roots to justify total minimum or 
maximum properties are performed by methods using Maple and are verified 
by fiCAS. 

One of these latter methods is Polynomial-Root shown in Fig. 4 whose 
purpose is to confirm the existence of a root of a polynomial. It therefore has 
one conclusion only and no premises, that is when the method is applied, it 
closes an open line, but does not introduce any new goals into the proof plan. 
The application conditions are handled as follows: if p is actually a polynomial 
the CAS root function calls Maple’s function roots to compute the rational 
roots of p. In case Maple’s computation is successful the method is applied and 
the first of the returned values is bound to the method parameter a (whereas 
possible additional roots are kept for backtracking purposes). The value of a 

5 Actually, we have not yet expanded the subproof to ND calculus level. Since equality 
is a concept defined by Leibniz-equality in SImega, =Subst is a tactic which can be 
further expanded. However, we omitted the rather tedious details of this expansion 
here. 
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Appl. Cond. 


IsPolynomial ( p ) 
a < — CAS-root(p, x) 
a i — [x/a] 


Conclusions 


© L/3 


Proof 

Schema 


{LA h 0 = 0 (=Ref) 

(L 2 ) A h p CT = 0 (CAS Li) 

{LA> A h 3 x.p = 0 (3/ L 2 ) 



Fig. 4. The Polynomial-Root Method 



is then used to construct an appropriate substitution for p which is bound to 
the parameter a. Because Polynomial-Root does not introduce any new lines 
during the planning process all the instantiations are needed for expansion of 
the method. 

We observe the behavior of Polynomial-Root with a concrete example but 
focus only on the application and expansion of the method and do not elaborate 
on the actual optimization problem and how it is solved. Suppose we apply 
Polynomial-Root to an open line of the form: 3x. (a; 3 + x 2 — 5x ~ 2) = 0 the 
method variable p is then bound to x 3 + x 2 — 5a: — 2 and Maple is called with 
rootsCa; 3 + x 2 — 5x — 2,x ). Maple returns 2 as the only rational root of p 
(together with its multiplicity which we can ignore) which is bound to x and 
finally the substitution a is constructed as [a;/2]. 

When expanding the method’s application, lines L\ and L 2 are properly sub- 
stituted and introduced into the proof, as shown on the right. For the expansion 
of the CAS justification in the se- 0=0 (=Ref) 

cond line pCAS is used to perform ((2 3 + (2 2 — 5 * 2)) — 2) = 0 (CAS) 

the step-by-step low-level verifica- 3x. ((x 3 + {x 2 — 5a;)) — 2) = 0 (31) 

tion of the result. The expansion employs tactics that represent single computa- 
tional steps on rational numbers. We omit, however, the details of this expansion 
since it works analogously to the one presented in Sec. 5.1. 

6 Discussion 

From our current experience, the presented approach is well suited for symbo- 
lic computations whose verification is relatively trivial, e.g., where only simple 
arithmetic needs to be employed. However, the method is not feasible for com- 
putations where the verification is as expensive or even more complicated than 
the computation itself. At least in the latter case it might be more practicable to 
immediatly specify the computation as a pCAS algorithm. Computations where 
the verification will be definitely non-trivial are those involving certain uniquen- 
ess properties of the result. For instance, when employing Maple to compute 
all roots of a function, it will be a hard task to verify that there exist no more 
roots than those actually computed. For further discussion of this point refer to 

[17]. 
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Although we presented our ideas in this paper in the context of proof plan- 
ning, we strongly believe that the approach could also work in tactical (inter- 
active) theorem proving. One necessary prerequisite will be the existence of an 
explicit proof object for storing proof steps that contain calculations. These steps 
can then be verified with the help of the simple /iCAS algorithm. Even if the 
proof object does not have the advanced facilities for step-wise expansion of proof 
steps the verification could be done by transforming fiCAS output into tactics, 
and thereby primitive inferences, of the respective system. Those primitive in- 
ferences would not necessarily have to be incorporated into the proof object. 
For instance, one can imagine a tactic such as Complex-Estimate in TPS [2]. 
After successful proof construction it could be verified with the help of /. iCAS 
and remain as a single step in the proof object. This treatment would also ease 
automation. 

For systems not maintaining explicit proof objects, such as HOL [14] or 
PVS [21], the approach of [17] would suit best. Here the symbolic computati- 
ons are verified immediately by tactics build on primitive inferences of HOL. 
However, this approach directly implements the verification algorithms as tac- 
tics in the HOL system as correspondences to Maple’s computation. Using a 
separate system for the verification, i.e. , the generation of more or less detai- 
led inference chains justifying computations, keeps the DS clean from special 
algorithms, methods and tactics employed for this task, only. Moreover, both 
SAPPER and f^iCAS are generic enough to be easily adapted for connection with 
other systems, whereas tactics can generally not that easily be exported. 

7 Conclusion 

We have presented an approach for integrating symbolic computations into logi- 
cal derivations without foregoing the formal correctness requirements for proofs 
in deduction systems. The main idea underlying the approach is to employ the 
computational power of full grown CASs, such as Maple, during proof planning 
and thereby ease the derivation of certain witness terms. After a proof has been 
successfully planned we use a little self-tailored CAS, / iCAS , during the refine- 
ment phase of the plan to an actual natural deduction proof in order to verify the 
correctness of the original computation. This is based on the idea that for some 
computations the verification of a result is much simpler than the computation 
itself, and, indeed, for our examples it suffices to use arithmetic. 

Although we hinted at how this method could also be successfully employed 
outside the proof planning context, it is certainly not the ultima ratio as a 
paradigm for integrating deduction and computer algebra. However, since there 
are currently no CASs available that are either provably correct or give us enough 
information on their computations we have chosen this pragmatic approach in 
the Hmega system in order to derive proof plans which in turn could be used 
to justify the correctness of symbolic computations. 

We demonstrated the presented technique with two examples from the do- 
main of limit theorems and optimization problems. We are currently investiga- 
ting how CAS such as Gap [12] and Magma [6] can be employed to proof plan 
theorems in group theory. 
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Abstract. A number of combinations of reasoning and computer alge- 
bra systems have been proposed; in this paper we describe another, na- 
mely a way to incorporate a logic in the computer algebra system Axiom. 
We examine the type system of Aldor - the Axiom Library Compiler - 
and show that with some modifications we can use the dependent types 
of the system to model a logic, under the Curry-Howard isomorphism. 
We give a number of example applications of the logic we construct and 
explain a prototype implementation of a modified type-checking system 
written in Haskell. 



1 Introduction 

Symbolic mathematical - or computer algebra - systems, such as Axiom [13], 
Maple and Mathematica, are in everyday use by scientists, engineers and indeed 
mathematicians, because they provide a user with techniques of, say, integra- 
tion which far exceed those of the person themselves, and make routine many 
calculations which would have been impossible some years ago. These systems 
are, moreover, taught as standard tools within many university undergraduate 
programmes and are used in support of both academic and commercial research. 

There are, however, drawbacks to the widespread use of automated support 
of complex mathematical tasks, which has been widely noted: Fateman [10] gives 
the graphic example of systems which will assume that a / 0 on the basis that 
a = 0 has not been established. This can have potentially disastrous consequen- 
ces for the naive user of the system or indeed, if it occurs within a sufficiently 
complicated context, any user. 

Symbolic mathematics systems are also limited by their reliance on algebraic 
techniques. As Martin [14] remarks, in performing operations of analysis it might 
be a precondition that a function be continuous; such a property cannot be 
guaranteed by a computer algebra system alone. 

All this makes the combination of computer algebra with theorem proving a 
topic of considerable interest. Reasoning capabilities can allow a user to track as- 
sumptions, and thus to ensure that symbolic computations are sound , in contrast 
to the current situation in many CA systems. 



H. Kirchner and C. Ringeissen (Eds.): FroCoS 2000, LNAI 1794, pp. 136—150, 2000. 
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Reasoning can also extend the capability of a CA system. A scenario might 
involve working with a particular monoid: if during the course of computation 
it can be shown, for instance, that the monoid is commutative then it is pos- 
sible to use different, more efficient, simplification algorithms for expressions. 
The addition of reasoning here has made computation more efficient; in other 
situations - such as Martin’s analysis example mentioned earlier reasoning can 
allow computations to proceed where in general this would not be possible. 

The literature contains a number of different strategies proposed for combi- 
ning computer algebra and theorem proving; see, for instance, [4,6,3]. This paper 
describes another approach: we use the type system of the Axiom computer alge- 
bra system [13] to represent a logic, and thus to use the constructions of Axiom 
to handle the logic and represent proofs and propositions, in the same way as is 
done in theorem provers based on type theory such as Nuprl [7] or Coq [8]. 

This paper particularly explores the recent Axiom Library Compiler, Aldor 
[30], which is unusual among computer algebra systems in being strongly typed, 
and moreover in having a very powerful type system, including dependent types 
which are central to our work. 

The implementation of dependent types in Aldor is somewhat nonstandard: 
there is no evaluation within type expressions, so that, for example, ‘vectors of 
length 2+3’ are distinct from ‘vectors of length 5’; we show how this limits the 
expressivity of the dependent types. We describe a modification of the Aldor 
system which allow the types to represent the propositions of a constructive 
logic, under the Curry-Howard correspondence. We argue that this integrates 
a logic into the Aldor system, and thus permits a variety of logical extensions 
to Aldor, including adding pre- and post-conditions to function specifications, 
axiomatisations to categories of mathematical objects as well as the ability to 
reason about the objects in Aldor. 

The structure of the paper is as follows. Section 2 introduces Aldor and in 
particular examines its system of types. In Section 3 we examine the issue of 
type equality in Aldor since it is central to our approach to embedding a logic in 
Aldor. The section also contains a number of strategies for modifying the Aldor 
compiler. We show how a logic can be defined in a modified variant of the Aldor 
system in Section 4 and Section 5 gives some example applications. We conclude 
with a discussion of related and future work. 



2 An Introduction to Aldor 

The Axiom Library Compiler, Aldor [30] (known in the past as AXIOM-XL and 
A # ), provides the user with a powerful, general-purpose programming language 
in which to model the structures of mathematics. Aldor is compiled, in contrast 
to most computer algebra languages, and so it can provide much more efficient 
implementations of algorithms than interpreted languages. 

The core of Aldor is a functional programming language which provides 
higher-order functions, generators (which bear a strong relationship to list com- 
prehensions) and other features of modern functional languages like Standard 
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ML [17] and Haskell [21]. It is also strongly typed, in common with these langua- 
ges and indeed the majority of modern programming languages. Under this type 
discipline any type error - such as adding a character to a boolean operator 
can be caught at compile time rather than at run time. This has two consequent 
advantages. First, a whole class of programming errors can be detected prior 
to program execution, thus increasing the dependability of the compiled code. 
Secondly, it means that it is possible to produce more efficient compiled code 
since no run-time type tags on program data need to be maintained to support 
type checking at run-time. 

Since Aldor is designed with mathematics in mind, its type system is more 
complex than those of most programming languages. Mathematicians take a 
flexible approach to terminology, with the consequence that often the meaning 
of a symbol or phrase is only determined by its context. This requires of a 
programming language that symbols can be overloaded, and that sometimes 
values need to be coerced from one type to another: from the integers to floating- 
point numbers, for example. 

More importantly this flexibility necessitates an entity like the collection of 
integers to be seen in various different ways, depending on the context. In the 
case of the integers this might be a set of values, a group, an integral domain, 
a subset of the real numbers and so forth. To do this, the language allows types 
and functions to be collected into domains, and the type of a domain, which is 
described by a signature, is called a category. 

Categories can be built on top of other categories, giving a version of inheri- 
tance between domains. Categories can also be parametrised by values including 
domains; rather than implement a theory of parametric categories, Aldor takes 
types to be values just like more traditional values like 23 and the Boolean value 
‘false’. This has far-reaching consequences for the language. 

Current descriptions of Aldor, [30,29], give informal definitions of the type 
system. We have given a formal description of the essence of the Aldor type 
system in [22]. In the remainder of this section we summarise our approach in 
that paper and the conclusions that are drawn there. 



2.1 An Overview of the Type System of Aldor 

Unusually among languages for computer algebra, but in keeping with the fun- 
ctional school, Aldor is strongly typed. Each declaration of a binding can be 
accompanied by a declaration of the type of the value bound, as in the definition 

a : Integer == 23; 

The type of an expression can be declared explicitly to resolve any uses of overlo- 
aded identifiers. This cannot simply be done by the typing rules, since arbitrary 
overloading is allowed, so that, for instance, a single identifier fun may be overlo- 
aded to have types Int -> Int, Int -> Bool and Bool -> Int so that neither 
the type of the argument nor the type of result expected can disambiguate an 
application of fun. 
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Some ‘courtesy’ coercions are provided by the system automatically: these 
convert between multiple values (d la LISP), cross products and tuples. It is also 
possible to make explicit conversions by means of the coerce function - from 
integers to floating point numbers and so forth. 

As mentioned earlier, Aldor treats types as values. In particular, a type such 
as Integer has itself a type. The type of types is called Type. Having this type 
of all types means that the system supports functions over types, such as the 
identity function over (the type of) types: 

idType (ty : Type) : Type == ty; 

and explicit polymorphism, as in the polymorphic identity function which takes 
two arguments. The first is a type ty and the second is a value of that type 
which is returned as the result. 

id (ty : Type, x : ty) : ty == x; (id) 

Aldor permits functions to have dependent types, in which the type of a fun- 
ction result depends upon the value of a parameter. An example is the function 
which sums the values of vectors of integers. This has the type 

vectorSum : (n: Integer) -> Vector (n) -> Integer 

in which the result of a function application, say 

vectorSum (34) 

has the type Vector (34) -> Integer because its argument has the value 34. 
In a similar way, when the id function of definition (id) is applied, its result 
type is determined by the type which is passed as its first argument. We discuss 
this aspect of the language in more detail in Section 2.3. 

The system is not fully functional, containing as it does variables which 
denote storage locations. The presence of updatable variables inside expressions 
can cause side-effects which make the elucidation of types considerably more 
difficult. There is a separate question about the role of ‘mathematical’ variables 
in equations and the like, and the role that they play in the type system of Aldor. 

Categories and domains provide a form of data abstraction and are addressed 
in more detail in Section 2.5. 

The Aldor type system can thus be seen to be highly complex and we shall 
indeed see that other features such as macros (see Section 2.5) complicate the 
picture further. 

2.2 Formalising the Type System of Aldor 

This section outlines the approach we have taken in formalising the type system 
of Aldor. Our work is described in full in [22]; for reasons of space we can only 
give a summary here. 

The typing relation is formally described by typing judgements of the form 



r h t : T 
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which is read "t has the type T in the context F\ A context here consists of a 
list of variable declarations, type definitions and so on. Contexts represent the 
collection of bindings which are in scope at a point in a program text. Note that 
t might have more than one type in a given context because of overloading of 
identifiers in Aldor, and so it would be perfectly legitimate for a well-formed 
context r to imply that t : T and t : T' where T and T' are different types. 

Complex typing judgements are derived using deduction rules that codify 
conditions for a typing judgement to hold. For example, 

r b / : S->T r b s : S 

(function elim) 

r b f(s) : T 

describes the type-correct application of a function. This deductive approach 
is standard; we have adapted it to handle particular features of Aldor such as 
overloading, first-class types and categories. 

Our discussion in [22] examines the essential features of the full type system of 
Aldor; in this paper we concentrate on those aspects of the language relevant to 
our project. These are dependent function and product types; equality between 
types; and categories and domains, and we look at these in turn now. 

2.3 Dependent Types 

As we have already seen with the examples of id and vectorSum, the Aldor 
language contains dependent types. To recap, the function vectorSum defines a 
sum function for vectors of arbitrary length and has the type 

vectorSum : (n: Integer) -> Vector (n) -> Integer 

Similarly one can define a function append to join two vectors together 

append : (n : Integer ,m: Integer .Vector (n) .Vector (m) ) -> Vector (n+m) 

The typing rule for dependent function elimination modifies the rule (function 
elim) so that the values of the arguments are substituted in the result type, thus 

r b / : {x : S)->T T b s : S' 

(dependent function elim) 

r b f(s) : T[x := s) 

Given vectors of length two and three, vec2 and vec3, we can join them thus 

append(2,3,vec2,vec3) : Vector(2+3) 

where 2 and 3 have been substituted for n and m respectively. 

We would expect to be able to find the sum of this vector by applying 
vectorSum 5, thus 

(vectorSum 5) append(2,3,vec2,vec3) 
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but this will fail to type check, since the argument is of type Vector (2+3), 
which is not equal to the expected type, namely Vector (5). This is because no 
evaluation takes place in type expressions in Aldor (nor indeed in the earlier 
version of Axiom). We examine this question in the next section, and in Section 
3 we discuss how the Aldor type mechanism can be modified to accommodate a 
more liberal evaluation strategy within the type checker. Similar remarks apply 
to dependent product types in which the type of a held can depend on the value 
of another held. 

2.4 Equality of Types in Aldor 

When are two types in Aldor equal? The dehnition of type equality in any 
programming language is non-trivial, but in the presence of dependent types 
and types as values it becomes a subtle matter. 

Type equality is fundamental to type checking, as can be seen in the rule 
(function elim) : the effect of the rule in a type-checker is to say that the appli- 
cation f(s) is only legitimate if / has type S->T, s has type S', and the types S 
and S' are equal. Non-identical type expressions can denote identical types for 
a number of reasons. 

— A name can be given to a type, as in 

mylnt : Type == Int ; 

and in many situations mylnt and Int will be treated as identical types. 
[This is often called (5-equality.] 

— The bound variables in a type should be irrelevant and Aldor treats them 
as so. This means that the types 

vectorSum : (n: Integer) -> Vector (n) -> Integer 
vectorSum : (int : Integer) -> Vector (int) -> Integer 

should be seen as identical, [a-equality] 

— Types are values like any other in Aldor, and so can be evaluated. In parti- 
cular a function over types like idType will be used in expressions such as 
idType Int. It would be expected that this would evaluate to Int and thus 
be seen as equivalent. [/3-equality] 

— In the presence of dependent types, expressions of any type whatsoever can 
be subexpressions of type expressions, as in Vector (2+3). Equality between 
these subexpressions can be lifted to types, making Vector (2+3) equal to 
Vector (5). [Value-equality] 

Our report on the type system examines the practice of equality in the Aldor 
system and shows it to be complex. The Aldor system implements a-equality in 
nearly all situations, but (5-equality is not implemented in a uniform way. Over 
types neither /3-equality nor value-equality is implemented, so that type equality 
in Aldor is a strong relation, in that it imposes hirer distinctions than notions 
like (3- or value-equality. 
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A rationale for the current definition in Aldor is that it is a simple notion of 
type equality which is strong enough to implement a weak form of type depen- 
dency in which arguments to types are themselves (literal) types which are not 
used in a computational way. This form of dependency is useful in the module 
system of Aldor where it can be used to formulate mathematical notions like 
‘the ring of polynomials in one variable over a field F ’ where the field A is a 
parameter of the type. 

Our approach to integrating reasoning into Aldor requires a weaker notion 
of type equality, which we explore in Section 3. 

2.5 Categories and Domains 

Aldor is designed to be a system in which to represent and manipulate mathe- 
matical objects of various kinds, and support for this is given by the Aldor type 
system. One can specify what it is to be a monoid, say, by defining the Category 1 
called Monoid, thus 

Monoid : Category == BasicType with { (Mon) 

* : -> 7.; 

1 : 7.; } 

This states that for a structure over a type ‘7.’ to be a monoid it has to supply 
two bindings; in other words a Category describes a signature. The first name 
in the signature is ‘*’ and is a binary operation over the type ‘7«’; the second is 
an element of l 7„\ 

In fact we have stated slightly more than this, as Monoid extends the category 
BasicType which requires that the underlying type carries an equality operation. 

BasicType : Category == with { 

= : (1,7,) -> Boolean; } 

We should observe that this Monoid category does not impose any constraints 
on bindings to and ‘1’: we shall revisit this example in Section 5.2 below. 

Implementations of a category are abstract data types which are known in 
Aldor as domains, and are defined as was the value a at the start of Section 2.1, 

e.g. 

IntegerAdditiveMonoid : Monoid == add { 

Rep == Integer; 

(x:7o) * (y : %) : 7. == per((rep x) + (rep y)); 

1 : 7. == per 0; } 

The category of the object being defined - Monoid - is the type of the domain 
which we are defining, IntegerAdditiveMonoid. The definition identifies a re- 
presentation type, Rep, and also uses the conversion functions rep and per which 
have the types 

1 There is little relation between Aldor’s notion of category and the notion from ca- 
tegory theory! 
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rep : "/« -> Rep per : Rep -> ”/ 0 

The constructs Rep, rep and per are implemented using the macro mechanism 
of Aldor, and so are eliminated before type checking. In our report [22] we show 
how definitions of domains can be type checked without macro expansion, which 
allows, for instance, more accurate error diagnosis. 

Categories can also be parametric, and depend upon value or type parame- 
ters; an example is the ring of polynomials over a given field mentioned earlier. 



2.6 Conclusion 

This section has given a brief overview of Aldor and its type system. It has shown 
that the notion of type equality in Aldor is a strong one, which makes distinctions 
between types which could naturally be considered equivalent. This is especially 
relevant when looking at the effect of type equality on the system of dependent 
types. In the sections to come we show how a logic can be incorporated into 
Aldor by modifying the notion of type equality in Aldor. 



3 Modifying Type Equality in Aldor 

Section 2.4 describes type equality in Aldor and argues that it is a strong notion 
which distinguishes between type terms which can naturally be identified. In this 
section we examine various ways of modifying type equality including the way 
we have chosen to do this in our prototype implementation. 



3.1 Using the Existing System 

It is possible to use the existing Aldor system to mimic a different - weaker 
- type equality by explicitly casting values to new types, using the pretend 
function of Aldor. 2 This effectively sidesteps the type checker by asserting the 
type of an expression which is accepted by the type checker without verification. 

For instance, the vector example of Section 2.3 can be made to type check in 
Aldor by annotating it thus 

(vectorSum 5) (append(2,3,vec2,vec3) pretend Vector(5)) 
or thus 

((vectorSum 5) pretend (Vector(2+3) -> Integer)) append(2,3,vec2,vec3) 

This achieves a result, but at some cost. Wherever we expect to need some 
degree of evaluation, that has to be shadowed by a type cast; these casts are also 
potentially completely unsafe. 

2 The pretend function is used in the definition of rep and per in the current version 
of Aldor; a more secure mechanism would be preferable. 
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3.2 Coercion Functions 

Another possibility is to suggest that the current mechanism for coercions in 
Aldor is modified to include coercion functions which would provide conversion 
between type pairs such as Vector(2+3) and Vector (5) , extending the coercion 
mechanism already present in Aldor. This suggestion could be implemented but 
we envisage two difficulties with it. 

— In all but the simplest of situations we will need to supply uniformly-defined 
families of coercions rather than single coercions. This will substantially 
complicate an already complex mechanism. 

— Coercions are currently not applied transitively: the effect of this is to allow 
us to model single steps of evaluation but not to take their transitive closure. 

Putting these two facts together force us to conclude that effectively mimicking 
the evaluation process as coercions is not a reasonable solution to the problem 
of modifying type checking. 

3.3 Adding Full Evaluation 

To deal with the problem of unevaluated subexpressions in types, we have imple- 
mented a prototype version of Aldor using Haskell [23] . In this implementation 
all type expressions are fully evaluated to their normal form as a part of the 
process of type checking. To give an example, the rule (function elim) will be 
interpreted thus: 

f(s) is well-formed if and only if / has type S->T, s has type S', and 
the normal forms of S and S' are equal modulo a-equality. 

The effect of this modification is to force the type checker to perform evaluation 
of expressions at compile time. Clearly this can cause the type checker to diverge 
in general, since in, for instance, an application of the form vectorSum(e) an 
arbitrary expression e : Nat will have to be evaluated. 

More details of the prototype implementation of Aldor in Haskell are given 
in the technical report [23]. 

3.4 Controlling Full Evaluation 

A number of existing type systems, Haskell among them, have undecidable type 
systems [12] which can diverge at compile time. In practice this is not usually a 
problem as the pathologies lie outside the ‘useful’ part of the type system. This 
may well be the case with Aldor also, but it is also possible to design a subset 
of the language, Aldor — , whose type system is better behaved. 

There is considerable current interest in defining terminating systems of re- 
cursion [27,16]. A system like this is sufficient to guarantee the termination of 
expressions chosen for evaluation as part of the type checking process. The main 
effect of the restricted system is to force recursion to be structural (in a general 
sense); in practice this is acceptable, particularly in the subset of the language 
used within type expressions. 
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4 Logic within Aldor 

In this section we discuss the Curry-Howard isomorphism between propositions 
and types, and show that it allows us to embed a logic within the Aldor type 
system, if dependent types are implemented to allow evaluation within type 
contexts. 



4.1 The Curry-Howard Correspondence 

Under the Curry-Howard correspondence, logical propositions can be seen as ty- 
pes, and proofs can be seen as members of these types. Accounts of constructive 
type theories can be found in notes by Martin-Lof [15] amongst others [19,26]. 
Central to this correspondence are dependent types, which allow the represen- 
tation of predicates and quantification. 

Central to the correspondence is the idea that a constructive proof of a 
proposition gives enough evidence to witness the fact that the proposition stands. 

— A proof of a conjunction A A B has to prove each half of the proposition, 
so has to provide witnessing information for each conjunct; this corresponds 
precisely to a product type, in Aldor notation written as ( A, B ), members 
of which consist of pairs of elements, one from each of the constituent types. 

— A proof of an implication A =>■ B is a proof transformer: it transforms proofs 
of A into proofs of B\ in other words it is a function from type A to type B , 
i.e. a function of type A->B. 

— In a similar way a proof of a universal statement (Vx : A)B(x) is a function 
taking an element a of A into a proof of B(a)\ in other words it is an element 
of the dependent function type (x:A) -> B. 

— Similar interpretations can be given to the other propositional operators and 
the existential quantifier. 

We can summarise the correspondence in a table 



Programming 

Type 

Program 

Product/record type 
Sum/union type 
Function type 
Dependent function type 
Dependent product type 
Empty type 
One element type 



V 

-> 

(x:A) -> B (x) 
(x:A,B(x)) 
Exit 
Triv 



Logic 

Formula 

Proof 

Conjunction 
Disjunction 
Implication 
Universal quantifier 
Existential quantifier 
Contradictory proposition 
True proposition 



Predicates (that is dependent types) can be constructed using the constructs 
of a programming language. A direct approach is to give an explicit (primitive 
recursive) definition of the type, which in Aldor might take the form 
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lessThan(n:Nat,m:Nat) : Type == (lessThan) 

if m=0 then Exit 

else (if n=0 then Triv 

else lessThan (n-1 ,m-l) ) ; 

The equality predicate can be implemented by means of a primitive operation 
which compares the normal forms of the two expressions in question. 



4.2 A Logic within Aldor 

We need to examine whether the outline given in Section 4.1 amounts to a 
proper embedding of a logic within Aldor. We shall see that it places certain 
requirements on the definition and the system. 

Most importantly, for a definition of the form (lessThan) to work properly 
as a definition of a predicate we need an application like lessThan (9, 3) to be 
reduced to Exit, hence we need to have evaluation of type expressions. This is a 
modification of Aldor which we are currently investigating, as outlined in Section 
2.3. In the case of (lessThan) the evaluation can be limited, since the scheme 
used is recognisable as terminating by, for instance, the algorithm of [16]. 

The restriction to terminating (well-founded) recursions is also necessary for 
consistency of the logic. For the logic to be consistent, we need to require that 
not all types are inhabited, which is clearly related to the power of the recur- 
sion schemes allowed in Aldor. One approach is to expect users to check this for 
themselves: this has a long history, beginning with Hoare’s axiomatisation of the 
function in Pascal, but we would expect this to be supported with some auto- 
mated checking of termination, which ensures that partially or totally undefined 
proofs are not permitted. 

Consistency also depends on the strength of the type system itself; a suffi- 
ciently powerful type system will be inconsistent as shown by Girard’s paradox 
[ 11 ], ' 

5 Applications of an Integrated Logic 

Having identified a logic within Aldor, how can it be used? There are various 
applications possible; we outline some here and for others one can refer to the 
number of implementations of type theories which already exist, including Nuprl 
[7] and Coq [8]. 



5.1 Pre- and Post-Conditions 

A more expressive type system allows programmers to give more accurate types 
to common functions, such as the function which indexes the elements of a list. 

index : (l:List(t)) (n:Nat) ( (n < length. 1) -> t) 
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An application of index has three arguments: a list 1 and a natural number n 
- as for the usual index function - and a third argument of type (n < length 
1), that is a proof that n is a legitimate index for the list in question. This 
extra argument becomes a proof obligation which must be discharged when the 
function is applied to elements 1 and n. 

In a similar vein, it is possible to incorporate post-conditions into types, so 
that a sorting algorithm over lists might have the type 

sort : ((l:List(t)) (List(t) ,Sorted(l)) 

and so return a sorted list together with a proof that the list is Sorted. 

5.2 Adding Axioms to the Categories of Aldor 

In definition (Mon) , Section 2.5, we gave the category of monoids, Monoid, which 
introduces two operation symbols, * and 1. A monoid consists not only of two 
operations, but of operations with properties. We can ensure these properties 
hold by extending the definition of the category to include three extra com- 
ponents which are proofs that 1 is a left and right unit for * and that * is 

associative, where we assume that “=’ is the equality predicate: 

Monoid : Category == BasicType with { (MonL) 

* : (. 1 , 1 ) -> 7.; 

1 : 1 ; 

leftUnit : (g:7.) -> (l*g = g) ; 

rightUnit : (g:7.) -> (g*l = g) ; 

assoc : (g:7.,h:7., j :"/.) ~> ( g*(h*j) = (g*h)*j ); 

} 

For example, the declaration of leftUnit has the logical interpretation that 
leftUnit is a proof of the statement ‘for all g in the monoid (7«), l*g is equal 
to g’. 

The equality predicate is implemented as follows: the type a = b contains 
a value if and only if a and b have the same normal form. The extension ope- 
ration (i.e. the with in the definition above) over categories will lift to become 
operations of extension over the extended ‘logical’ categories such as (MonL) . 

5.3 Commutative Monoids 

In the current library for Axiom it is not possible to distinguish between general 
monoids and commutative monoids: both have the same signature. With logical 
properties it is possible to distinguish the two: 

CommutativeMonoid : Category == Monoid with { 
comm : (g:7.,h:7.) -> ( g*h = h*g ); 

} 
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To be a member of this category, a domain needs to supply an extra piece of 
evidence, namely that the multiplication is commutative; with this evidence the 
structure can be treated in a different way than if it were only known to be a 
monoid. This process of discovery of properties of an mathematical structure 
corresponds exactly to a mathematician’s experience. Initially a structure might 
be seen as a general monoid, and only after considerable work is it shown to be 
commutative; this proof gives entry to the new domain, and thus allows it to be 
handled using new approaches and algorithms. 

5.4 Different Degrees of Rigour 

One can interpret the obligations given in Sections 5.1 and 5.2 with differing 
degrees of rigour. Using the pretend function we can conjure up proofs of the 
logical requirements of (MonL) ; even in this case they appear as important do- 
cumentation of requirements, and they are related to the lightweight formal 
methods of [9]. 

Alternatively we can build fully-fledged proofs as in the numerous implemen- 
tations of constructive type theories mentioned above, or we can indeed adopt 
an intermediate position of proving properties seen as ‘crucial’ while asserting 
the validity of others. 

6 Conclusion 

We have described a new way to combine - or rather, to integrate - computer 
algebra and theorem proving. Our approach is similar to [3] and [4] in that 
theorem proving capabilities are incorporated in a computer algebra system. 
(In the classification of possible combinations of computer algebra and theorem 
proving of [6], all these are instance of the ’’subpackage” approach.) But the way 
in which we do this is completely different: we exploit the expressiveness of the 
type system of Aldor, using the Curry-Howard isomorphism that also provides 
the basis of theorem provers based on type theory such as Nuprl [7] or Coq [8]. 
This provides a logic as part of the computer algebra system. Also, having the 
same basis as existing theorem provers such as the ones mentioned above makes 
it easier to interface with them. 

So far we have worked on a formal description of the core of the Aldor 
type system [22], and on a pilot implementation of a typechecker for Aldor 
which does evaluation in types which can be used as a logic [23]. This pilot 
forms the model for modifications to the Aldor system itself, as well as giving 
a mechanism for interfacing Aldor with other systems like the theorem prover 
Coq, complementary to recent work on formalising the Aldor system within Coq 
[1] . The logic is being used in a mathematical case study of symbolic asymptotics 
[25]. 

It is interesting to see a convergence of interests in type systems from a 
number of points of view, namely 
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— computer algebra, 

— type theory and theorem provers based on type theory, 

— functional programming. 

For instance, there seem to be many similarities between structuring mechanisms 
used in these different fields: [5] argues for functors in the sense of the program- 
ming language ML as the right tool for structuring mathematical theories in 
Mathematica, and [24] notes similarities between the type system of Aldor, exi- 
stential types [18], and Haskell classes [28]. More closely related to our approach 
here, it is interesting to note that constructive type theorists have added induc- 
tive types [20], giving their systems a more functional flavour, while functional 
programmers are showing an interest in dependent types [2] and languages with- 
out non-termination [27]. We see our work as part of that convergence, bringing 
type-theoretic ideas together with computer algebra systems, and thus providing 
a bridge between symbolic mathematics and theorem proving. 
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Abstract. The two main approaches to the formal verification of re- 
active systems are based, respectively, on model checking (algorithmic 
verification) and theorem proving (deductive verification). These two ap- 
proaches have complementary strengths and weaknesses, and their com- 
bination promises to enhance the capabilities of each. This paper surveys 
a number of methods for doing so. As is often the case, the combinations 
can be classified according to how tightly the different components are 
integrated, their range of application, and their degree of automation. 



1 Introduction 

Formal verification is the task of proving mathematical properties of mathe- 
matical models of systems. Reactive systems are a general model for systems 
that have an ongoing interaction with their environment. Such systems do not 
necessarily terminate, so their computations are modeled as infinite sequences 
of states and their properties specified using temporal logic [48]. The verifica- 
tion problem is that of determining if a given reactive system satisfies a given 
temporal property. 

Reactive systems cover a wide range of hardware and software artifacts, in- 
cluding concurrent and distributed systems, which can be particularly difficult 
to design and debug. (Sequential programs and programs that terminate are a 
special case of this general model.) Reactive systems can be classified according 
to their number of possible states. For finite-state systems, the states are given 
by a finite number of finite-state variables. This includes, in particular, hard- 
ware systems with a fixed number of components. Infinite-state systems feature 
variables with unbounded domains, typically found in software systems, such as 
integers, lists, trees, and other datatypes. (Note that in both cases the compu- 
tations are infinite sequences of states.) 

The verification of temporal properties for finite-state systems is decidable: 
model checking algorithms can automatically decide if a temporal property holds 
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for a finite-state system. Furthermore, they can produce a counterexample com- 
putation when the property does not hold, which can be very valuable in determi- 
ning the corresponding error in the system being verified or in its specification. 
However, model checking suffers from the state explosion problem, where the 
number of states to be explored grows exponentially in the size of the system 
description, particularly as the number of concurrent processes grows. 

The verification problem for general infinite-state systems is undecidable, 
and finite-state model checking techniques are not directly applicable. (We will 
see, however, that particular decidable classes of infinite-state systems can be 
model checked using specialized tools.) First-order logic is a convenient langu- 
age for expressing relationships over the unbounded data structures that make 
systems infinite-state. Therefore, it is natural to use theorem proving tools to 
reason formally about such data and relationships. Deductive verification, based 
on general-purpose theorem proving, applies to a wide class of finite- and infinite- 
state reactive systems. It provides relatively complete proof systems, which can 
prove any temporal property that indeed holds over the given system, provided 
the theorem proving tools used are expressive and powerful enough [42]. Unfor- 
tunately, if the property fails to hold, deductive methods normally do not give 
much useful feedback, and the user must try to determine whether the fault lies 
with the system and property being verified or with the failed proof. 



Table 1 . Deductive vs. algorithmic verification 





Algorithmic Methods 


Deductive Methods 


Combination 


Automatic / 
decidable? 


yes 


no 


sometimes 


Generates 

counterexamples? 


yes 


no 


sometimes 


Handles general 
infinite-state systems? 


no 


yes 


yes 



The strengths and weaknesses of model checking and deductive verification, 
as discussed above, are summarized in Table 1. Given their complementary na- 
ture, we would like to combine the two methods in such a way that the desirable 
features of each are retained, while minimizing their shortcomings. Thus, com- 
binations of model checking and theorem proving usually aim to achieve one or 
more of the following goals: 

— More automatic (or, less interactive) verification of infinite-state systems for 
which model checking cannot be directly applied. 

— Verifying finite-state systems that are larger than what stand-alone model 
checkers can handle. 

— Conversely, verifying infinite-state systems with control structures that are 
too large or complex to check with purely deductive means. 
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— Generating counterexamples (that is, falsifying properties) for infinite-state 
systems for which classical deductive methods can only produce proofs. 

— Formalizing, and sometimes automating, verification steps that were pre- 
viously done in an informal or manual way. 

Outline: Section 2 presents background material, including the basic model for 
reactive systems. We then describe the main components of verification systems 
based on model checking (Section 3) and theorem proving (Section 4). In Sec- 
tion 5 we describe abstraction and invariant generation, which are important 
links between the two. This defines the basic components whose combination we 
discuss in the remaining sections. 

In Section 6, we describe combination methods that use the components as 
“black boxes,” that is, which do not require the modification of their internal 
workings. In Section 7, we present combination approaches that require a tighter 
integration, resulting in new “hybrid” formalisms. 

References to combination methods and related work appear throughout the 
paper, which tries to present a general overview of the subject. However, since 
much of the work on formal verification during the last decade is related to the 
subject of this paper, the bibliography can only describe a subset of the work in 
the field. Furthermore, this paper is based on [58], which presents the author’s 
own view on the subject, and thus carries all the biases which that particular 
proposal may have. For this, we apologize in advance. 

2 Preliminaries 

2.1 Kripke Structures and Fair Transition Systems 

A reactive system S : (A, 0, R) is given by a set of states A, a set of initial 
states 0 C £, and a transition relation R C £ x £. If (si, S 2 ) G R, the system 
can move from .s-j to S 2 . A system S can be identified with the corresponding 
Kripke structure, or state- space. This is the directed graph whose vertices are 
the elements of £ and whose edges connect each state to its successor states. 

If £ is finite, S is said to be finite-state. Describing large or infinite state- 
spaces explicitly is not feasible. Therefore, the state-space is implicitly represen- 
ted in some other form: a hardware description, a program, or an cj- automaton. 

Fair transition systems are a convenient formalism for specifying both finite- 
and infinite-state reactive systems [44]. They are “low-level” in the sense that 
many other formalisms can be translated or compiled into them. 

The state-space of the system is determined by a set of system variables 
V, where each variable has a given domain (e.g., booleans, integers, recursive 
datatypes, or reals). The representation relies on an assertion language, usually 
based on first-order logic, to represent sets of states. 

Definition 1 (Assertion). A first-order formula whose free variables are a 
subset of V is an assertion, and represents the set of states that satisfy it. For 
an assertion <f>, we say that s € £ is a (f- state if s |= </>, that is, <j> holds given 
the values ofV at the state s. 
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In practice, an assertion language other than first-order logic can be used. 
The basic requirements are the ability to represent predicates and relations, 
and automated support for validity and satisfiability checking (which need not 
be complete). Examples of other suitable assertion languages include ordered 
binary decision diagrams (OBDD’s) [12] and their variants, for finite-state sy- 
stems (see Section 3) , and the abstract domains used in invariant generation (see 
Section 5.1). 

The initial condition is now expressed as an assertion, characterizing the set 
of possible system states at the start of a computation. The transition relation 
R is described as a set of transitions T. Each transition r € T is described by its 
transition relation r(V, V'), a first-order formula over the set of system variables 
V and a primed set V', indicating their values at the next state. 

Definition 2 (Transition system). A transition system S : (V, 0, T) is given 
by a set of system variables V, an initial condition 0, expressed as an assertion 
over V, and a set of transitions T, each an assertion over (V, V). 

In the associated Kripke structure, each state in the state-space £ is a possi- 
ble valuation ofV. We write s |= ip if assertion ip holds at state s, and say that 
s is a <^-state. A state s is initial if s \= 0. There is an edge from si to S 2 if 
(si, sf) satisfy r for some r G T. 

The Kripke structure is also called the state transition graph for S. Note 
that if the domain of a system variable is infinite, the state-space is infinite 
as well, even though the reachable state-space, the set of states that can be 
reached from 0, may be finite. We can thus distinguish between syntactically 
finite-state systems and semantically finite-state ones. Establishing whether a 
system is semantically finite-state may not be immediately obvious (and is in 
fact undecidable) , so we prefer the syntactic characterization. 

The global transition relation is the disjunction of the individual transition 
relations: R(si, S 2 ) iff r(si, S 2 ) holds for some r € T. For assertions </> and and 
transition r, we write 

WtW = f A t(V, V')) -> V'(V') . 

This is the verification condition that states that every T-successor of a (/estate 
must be a Restate. 

A run of S is an infinite path through the Kripke structure that starts at an 
initial state, i.e., a sequence of states (so,si, • ■ ■) where sq £ 0 and f?(sj,s,+i) 
for all i > 0. If r(sj, Sj + i) holds, then we say that transition r is taken at Sj. A 
transition is enabled if it can be taken at a given state. 

Fairness and Computations: Our computational model represents concur- 
rency by interleaving : at each step of a computation, a single action or transi- 
tion is executed [44] . The transitions from different processes are combined in all 
possible ways to form the set of computations of the system. Fairness expresses 
the constraint that certain actions cannot be forever prevented from occurring — 
that is, that they do have a fair chance of being taken. Describing R as a set of 
transition relations is convenient for modeling fairness: 
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Definition 3 (Fair transition system). A fair transition system (FTS) is 
one where each transition is marked as just or compassionate . A just (or weakly 
fair) transition cannot he continually enabled without ever being taken; a compas- 
sionate ( or strongly fair ) transition cannot be enabled infinitely often but taken 
only finitely many times. A computation is a run that satisfies these fairness 
requirements (if any exist). 

To ensure that R is total on S, so that sequences of states can always be 
extended to infinite sequences, we assume an idling transition, with transition 
relation V = V'. The set of all computations of a system S is written C(S), a 
language of infinite strings whose alphabet is the set of states of S. 

2.2 Temporal Logic 

We use temporal logic to specify properties of reactive systems [48,44]. Linear- 
time temporal logic (LTL) describes sets of sequences of states, and can thus 
capture universal properties of systems, which are meant to hold for all computa- 
tions. However, LTL ignores the branching structure of the system’s state-space, 
and thus cannot express existential properties, which assert the existence of par- 
ticular kinds of computations. The logic CTL* includes both the branching-time 
computation tree logic (CTL) and LTL, and is strictly more expressive than both. 
Due to space limitations, we refer the reader to [44,16] for the corresponding de- 
finitions. 

A temporal formula is S -valid if it holds at all the initial states of the kripke 
structures of S, considering only the fair runs of the system. For LTL, a conveni- 
ent definition of 5-validity can be formulated in terms of the set C(ip) of models 
of <p, which is the set of all infinite sequences that satisfy (p: 

Proposition 1 (LTL system validity). S |= tp for an LTL formula tp if and 
only if all the computations of S are models of p, that is, C(S) C C(ip). 

3 Finite-State Model Checking 

Given a reactive system S and a temporal property <p, the verification problem 
is to establish whether S |= <p. For finite-state systems, model checking [14,50] 
answers this question by a systematic exploration of the state-space of S, based 
on the observation that checking that a formula is true in a particular model is 
generally easier than checking that it is true in all models; the Kripke structure 
of S is the particular model in question, and ip is the formula being checked. 

Model checkers, such as SPIN [32], SMV [45], Mury> [24], and those in STeP 
[7], take as input what is essentially a finite-state fair transition system and a 
temporal formula in some subset of CTL*, and automatically check that the sy- 
stem satisfies the property. (See [16] for a recent and comprehensive introduction 
to model checking.) 

The complexity of model checking depends on the size of the formula being 
checked (linear for CTL and exponential for LTL and CTL*) and the size of the 
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system state-space (linear for all three logics). While the temporal formulas of 
interest are usually small, the size of the state-space can grow exponentially in the 
size of its description, e.g., as a circuit, program, or fair transition system. This 
is known as the state explosion problem, which limits the practical application 
of model checking tools. 

Symbolic Model Checking: Model checking techniques that construct and 
explore states of the system, one at a time, are called explicit- state. In con- 
trast, symbolic model checking combats the state-explosion problem by using 
specialized formalisms to represent sets of states. Ordered Binary Decision Dia- 
grams (OBDD’s) [12] are an efficient data structure for representing boolean 
functions and relations. They can be used to represent the transition relation 
of finite-state systems, as well as subsets of the systems’ state-space. The effi- 
cient algorithms for manipulating OBDD’s can be used to compute predicate 
transformations, such as pre- and post-condition operations, over the transition 
relation and large, symbolically represented sets of states [45]. 

Symbolic model checking extends the size of finite-state systems that can be 
analyzed, and is particularly successful for hardware systems. However, it is still 
restricted to finite-state systems of fixed size. The size of the OBDD representa- 
tion can grow exponentially in the number of boolean variables, leading to what 
can be called the OBDD explosion problem, where the model checker runs out of 
memory before the user runs out of time. In these cases, efficient explicit-state 
model checkers such as Mury? [24] are preferred. 

We arrive now at our first general combination scheme, which we can infor- 
mally call “SMC(X);” here, symbolic model checking is parameterized by the 
constraint language used to describe and manipulate sets of states. For instance, 
extensions of OBDD’s are used to move from bit-level to word-level representati- 
ons [15]; more expressive assertions are used in [36]. Similarly, finite-state bounded 
model checking [5] abandons BDD’s and relies instead on the “black-box” use of 
a propositional validity checker. This method can find counterexamples in cases 
for which BDD-based symbolic model checking fails. 

4 Deductive Verification 

Figure 1 presents the general invariance rule, G-INV, which proves the 5-validity 
of formulas of the form Dp for an assertion p [44] . The premises of the rule are 
first-order verification conditions. If they are valid, the temporal conclusion must 
hold for the system S. 

An assertion is inductive if it is preserved by all the system transitions and 
holds at all initial states. The invariance rule relies on finding an inductive au- 
xiliary assertion p that strengthens p, that is, <p implies p. 

The soundness of the invariance rule is clear: if <j> holds initially and is preser- 
ved by all transitions, it will hold for every reachable state of S. If p is implied 
by (p, then p will also hold for all reachable states. Rule G-INV is also relatively 
complete: if p is an invariant of S , then the strengthened assertion p always 




Combinations of Model Checking and Theorem Proving 157 



For assertions ip and p , 
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Fig. 1. General invariance rule G-inv 



exists [44] . Assuming that we have a complete system for proving valid asserti- 
ons, then we can prove the 5-validity of any 5-valid temporal property. Note, 
however, that proving invariants is undecidable for general infinite-state systems, 
and finding a suitable ip can be non-trivial. 

Other verification rules can be used to verify different classes of temporal 
formulas, ranging from safety to progress properties. Together, these rules are 
also relatively complete and yield a direct proof of any 5-valid temporal property 
[42]. However, they may require substantial user guidance to succeed, and do not 
produce counterexample computations when the property fails. 

When we require that a premise of a rule or a verification condition be valid, 
we mean for it to be 5-valid; therefore, verification conditions can be established 
with respect to invariants of the system, which can be previously proved or 
generated automatically. In general, axioms and lemmas about the system or the 
domain of computation can also be used. As we will see, this simple observation 
is an important basis for combined verification techniques. 



4.1 Decision Procedures (and Their Combination) 

Most verification conditions refer to particular theories that describe the domain 
of computation, such as linear arithmetic, lists, arrays and other data types. De- 
cision procedures provide specialized and efficient validity checking for particular 
theories. For instance, equality need not be axiomatized, but its consequences 
can be efficiently derived by congruence closure. Similarly, specialized methods 
can efficiently reason about integers, lists, bit vectors and other datatypes fre- 
quently used in system descriptions. 

Thus, using appropriate decision procedures can be understood as speciali- 
zing the assertion language to the particular domains of computation used by the 
system being verified. However, this domain of computation is often a mixed one, 
resulting in verification conditions that do not fall in the decidable range of any 
single decision procedure. Thus, combination problems in automated deduction 
are highly relevant to the verification task. The challenge is to integrate existing 
decision procedures for the different decidable fragments and their combination 
into theorem-proving methods that can be effectively used in verification. See 
Bjprner [6] for examples of such combinations. 
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4.2 Validity Checking and First-Order Reasoning 

Decision procedures usually operate only at the ground level, where no quan- 
tification is allowed. This is sufficient in many cases; for instance, the Stanford 
Validity Checker (SVC) [2] is an efficient checker specialized to handle large gro- 
und formulas, including uninterpreted function symbols, that occur in hardware 
verification. 

However, program features such as parameterization and the tick transition 
in real-time systems introduce quantifiers in verification conditions. Fortunately, 
the required quantifier instantiations are often “obvious,” and use instances that 
can be provided by the decision procedures themselves. Both the Extended Static 
Checking system (ESC) [23] and the Stanford Temporal Prover (STeP) [6,7,9] 
feature integrations of first-order reasoning and decision procedures that can 
automatically prove many verification conditions that would otherwise require 
the use of an interactive prover. 

Finally, we note that automatic proof methods for first-order logic and certain 
specialized theories are necessarily incomplete, not guaranteed to terminate, or 
both. In practice, automatic verification tools abandon completeness and focus 
instead on quickly deciding particular classes of problems that are both tractable 
and likely to appear when verifying realistic systems. 

To achieve completeness, interactive theorem proving must be used, and the 
above techniques must be integrated into interactive theorem proving frame- 
works, as done, for instance, in STeP and PVS [47]. Combining decision proce- 
dures, validity checkers and theorem provers, and extending them to ever-more 
expressive assertion languages, are ongoing challenges. 



5 Abstraction and Invariant Generation 

Abstraction is a fundamental and widely-used verification technique. Together 
with modularity, it is the basis of most combinations of model checking and 
deductive verification [37], as we will see in Sections 6 and 7. 

Abstraction reduces the verification of a property ip over a concrete system S, 
to checking a related property p A over a simpler abstract system A. It allows the 
verification of infinite-state systems by constructing abstract systems that can be 
model checked. It can also mitigate the state explosion problem in the finite-state 
case, by constructing abstract systems with a more manageable state-space. 

Abstract interpretation [18] provides a general framework and a methodo- 
logy for automatically producing abstract systems given a choice of the abstract 
domain A4. The goal is to construct abstractions whose state-space can be re- 
presented, manipulated and approximated in ways that could not be directly 
applied to the original system. Originally designed for deriving safety properties 
in static program analysis, this framework has recently been extended to include 
reactive systems and general temporal logic, e.g., [39,20]. 

One simple but useful instance of this framework is based on Galois connec- 
tions. Two functions, a : 2 Sc 1 — > Aq and 7 : Aq 1 — > 2 Sc , connect the lattice 
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of sets of concrete states and an abstract domain 4, which we assume to be 
a complete boolean lattice. The abstraction function a maps each set of con- 
crete states to an abstract state that represents it. The concretization function 
7 : £j\ 2 Sc maps each abstract state to the set of concrete states that it 
represents. 

In general, the abstract and concrete systems are described using different 
assertion languages, specialized to the respective domains of computation (see 
Section 4.1). We say that an assertion or temporal formula is abstract or concrete 
depending on which language it belongs to. 

For an abstract sequence of states n A : do, aq, . . ., its concretization ^{'k a ) is 
the set of sequences {so,Si, ... | Sj € 7 (at) for all i > 0}. The abstraction a(S) 
of a set of concrete states S is 

a(S) d = /\ {a G £4 I 5 C 7(a)} . 

This is the smallest point in the abstract domain that represents all the elements 
of S. In practice, it is enough to soundly over-approximate such sets [17]. 

Definition 4 (Abstraction and concretization of CTL* properties). For 

a concrete CTL* temporal property ip, its abstraction afipp) is obtained by re- 
placing each assertion f in ip by an abstract assertion a~(f) that characterizes 
the set of abstract states a~(f) : \/ A {a € .£4 | 7 (a) C /}. Conversely, given an 
abstract temporal property <p A , its concretization 7 (p A ) is obtained by replacing 
each atom a in p A by an assertion that characterizes 7 (a). 

We can now formally define weak property preservation, where properties of 
the abstract system can be transferred over to the concrete one: 

Definition 5 (Weak preservation). A is a weakly preserving abstraction of 
S relative to a class of concrete temporal properties V if for any property <p €V, 

1. If A \= cd(y?) then S |= ip. Or, equivalently: 

2. For any abstract temporal property ip A where ^{p A ) £ V, if A \= p A then 
S \= 7((^- 4 ). 

Note that the failure of ip A for A does not imply the failure of 4> for S. 
Strong property preservation ensures the transfer of properties from S to A as 
well; however, it severely limits the degree of abstraction that can be performed, 
so weak preservation is more often used. 

There are two general applications of this framework: In the first, we can 
transfer any property of a correct abstraction over to the concrete system, inde- 
pendently of any particular concrete property to be proved. Thus, this is called 
the bottom-up approach. In the second, given a concrete property to be proved, 
we try to find an abstract system that satisfies the corresponding abstract pro- 
perty. The abstraction is now tailored to a specific property, so this is called the 
top-down approach. We return to this classification in Section 7. 

The question now is how to determine that a given abstract system is indeed 
a sound abstraction of S. The following theorem expresses sufficient conditions 
for this, establishing a simulation relation between the two systems: 
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Proposition 2 (Weakly preserving VCTL* abstraction). Consider sy- 
stems S : (Sc, 0c, Rc) > and -4 : (S^, 6(4, Ra) such that for a concretization 
function 7 : S 4 — > 2 Sc the following hold: 

1 . Initiality; & c C 7(04). 

2. Consecution: If Rc(s\,S 2 ) for some si £ 7(01) and S 2 £ 7(02), then 
Ra(o-i, a 2 ) ■ 

Then A is a weakly preserving abstraction of S forWCTL*. 

Informally, the conditions ensure that A can do everything that S does, and 
perhaps some more. Note that this proposition is limited to universal properties 
and does not consider fairness. The framework can, however, be extended to 
include existential properties and take fairness into account — see [20,58]. 



5.1 Invariant Generation 

Once established, invariants can be very useful in all forms of deductive and 
algorithmic verification, as we will see in Section 6. Given a sound VCTL*- 
preserving abstraction A of S , if I Dip- 4 is an invariant of A, then CI7 (y 4 ) is 
an invariant of S. Thus, in particular, the concretization of the reachable state- 
space of the abstract system is an invariant of the concrete one; furthermore, any 
over-approximation of this state-space is also an invariant. This is the basis for 
most automatic invariant generation methods based on abstract interpretation, 
which perform the following steps: 

1. Construct an abstract system A over some suitable domain of computation; 

2. Compute an over-approximation of the state-space of A, expressed as an 
abstract assertion or a set of constraints; 

3. Concretize this abstract assertion, to produce an invariant over the concrete 
domain. 

Widening, a classic abstract interpretation technique, can be used to speed 
up or ensure convergence of the abstract fixpoint operations, by performing 
safe over-approximations. This is the approach taken in [8] to automatically 
generate invariants for general infinite-state systems. The abstract domains used 
include set constraints, linear arithmetic, and polyhedra. These methods are 
implemented as part of STeP [7]. 

6 Loosely Coupled Combinations 

The preceding sections have presented model checking, deductive verification, 
and abstraction, including the special case of invariant generation. Numerous 
stand-alone tools that perform these tasks are available. This section surveys 
combination methods that can use these separate components as “black boxes,” 
while Section 7 describes methods that require a closer integration. 
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6.1 Modularity and Abstraction 

Given the complementary nature of model checking and theorem proving, as 
discussed in Section 1, a natural combination is to decompose the verification 
problem into sub-problems that fall within the range of application of each of the 
methods. Since theorem proving is more expressive and model checking is more 
automatic, the most reasonable approach is to use deductive tools to reduce the 
main verification problem to subgoals that can be model checked. 

Abstraction is one of the two main methods for doing this: abstractions are 
deductively justified and algorithmically model checked. The other is modular ve- 
rification. Here, the system being verified is split into its constituent components, 
which are analyzed independently, provided assumptions on their environment. 
The properties of the individual components are then combined, usually follo- 
wing some form of assumption- guarantee reasoning , to derive properties of the 
complete system. This avoids the state-space explosion and allows the re-use of 
properties and components. Different specialized tools can be applied to different 
modules; finite-state modules can be model checked, and infinite-state modules 
can be verified deductively. 

Abstraction and modularity are orthogonal to each other: modules can be 
abstracted, and abstractions can be decomposed. Together, they form a powerful 
basis for scaling up formal verification [37,52]. 

6.2 General Deductive Environments 

A general-purpose theorem prover can formalize modular decomposition and 
assume-guarantee reasoning, formalize and verify the correctness of abstractions, 
apply verification rules, and put the results together. It can also handle para- 
meterization, where an arbitrary number of similar modules are composed, and 
provide decision procedures and validity checkers for specialized domains (see 
Section 4.1). This often includes OBDD’s for finite-state constraint solving and 
model checking. 

Provers such as HOL, the Boyer-Moore prover, and PVS, have been equipped 
with BDD’s and used in this way. From the theorem-proving point of view, this 
is a tight integration: model checking becomes a proof rule or a tactic. However, 
it is usually only used at the leaves of the proof tree, so the general verification 
method remains loosely coupled. 

The above theorem provers do not commit to any particular system repre- 
sentation, so the semantics of reactive systems and temporal properties must 
be formalized within their logic. The STeP system [7] builds in the notion of 
fair transition systems and LTL, and provides general model checking and theo- 
rem proving as well (and more specialized tools, which we will see below). The 
Symbolic Model Prover (SyMP) [4] is an experimental deductive environment 
oriented to model checking, featuring a modular system specification language 
and interfaces to SMV and decision procedures. 

Verification environments such as the above, which include model checking 
and theorem proving under a common deductive environment, support the fol- 
lowing tasks: 
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Debugging Using Model Checking: A simple but important application of 
model checking in a deductive environment is to check (small) finite instances of 
an infinite-state or parameterized system specification. In this way, many errors 
can quickly be found before the full deductive verification effort proceeds. 

Incremental Verification: As mentioned in Section 4, verification conditions 
need not be valid in general, but only valid with respect to the invariants of the 
system. Therefore, deductive verification usually proceeds by proving a series 
of invariants of increasing strength, where each is used as a lemma to prove 
subsequent ones [44] . The database of system properties can also help justify new 
reductions or abstractions, which in turn can be used to prove new properties. 

Automatically generated invariants can also be used to establish verification 
conditions. Different abstract domains generate different classes of invariants; 
in some cases, expressing the invariants so that they can be effectively used 
by the theorem proving machinery is a non-trivial task, and presents another 
combination challenge. So is devising invariant generation methods that take 
advantage of system properties already proven. 

Invariants can also be used to constrain the set of states explored in symbolic 
model checking [49] , for extra efficiency. Here, too, it may be necessary to trans- 
late the invariant into a form useful to the model checker, e.g. if an individual 
component or an abstracted finite-state version is being checked. 

Formal Decomposition: System abstraction and modular verification are of- 
ten performed manually and then proved correct. If done within a general theo- 
rem proving environment, these steps can be formally checked. For instance, 
Muller and Nipkow [46] use the Isabelle theorem prover to prove the soundness 
of an I/O-automata abstraction, which is then model checked. Hungar [33] con- 
structs model-checkable abstractions based on data independence and modula- 
rity. Abstraction is also used by Raj an et. al. [51] to obtain subgoals that can be 
model checked, where the correctness of the abstraction is proved deductively. 
Kurslran and Lamport [38] use deductive modular decomposition to reduce the 
correctness of a large hardware system to that of smaller components that can 
be model checked. 

6.3 Abstraction Generation Using Theorem Proving 

Many of the works cited above use theorem proving to prove that an abstraction 
given a priori is correct. This abstraction is usually constructed manually, which 
can be a time-consuming and error-prone task. An attractive alternative is to 
use theorem proving to construct the abstraction itself. 

The domain most often used for this purpose is that of assertion-based 
abstractions, also known as predicate or boolean abstractions. Here, the ab- 
stract state-space is the complete boolean algebra over a finite set of assertions 
B : {6 i, . . . , b n }, which we call the basis of the abstraction. For a point p in the 
boolean algebra, its concretization y(p) is the set of concrete states that satisfy 
p (see Section 5). For an abstract assertion f A , a concrete assertion that charac- 
terizes 7 (f A ) is obtained simply by replacing each boolean variable in f A by the 
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corresponding basis element. Similarly, for an abstract temporal formula tp- 4 , its 
concretization 7 ((/r 4 ) is obtained by replacing each assertion in by its con- 
cretization. Since the abstract system is described in terms of logical formulas, 
off-the-shelf theorem proving can be used to construct and manipulate it. 

Graf and Saidi [28] presented the first automatic procedure for generating 
such abstractions, using theorem proving to explicitly generate the abstract 
state-space. Given an abstract state s, an approximation of its successors is 
computed by deciding which assertions are implied by the postcondition of 7 (s). 
This is done using a tactic of the PVS theorem prover [47]. If the proof fails, 
the next-state does not include any information about the corresponding as- 
sertions, thus safely coarsening the abstraction: the abstract transition relation 
over-approximates the concrete one. 

An alternative algorithm is presented by Colon and this author in [17], using 
the decision procedures in STeP. Rather than performing an exhaustive search 
of the reachable abstract states while constructing A , this algorithm transforms 
S to A directly, leaving the exploration of the abstract state-space to an off- 
the-shelf model checker. Thus, this procedure is applicable to systems whose 
abstract state-space is too large to enumerate explicitly, but can still be handled 
by a symbolic model checker. The price paid by this approach, compared to [28], 
is that a coarser abstraction may be obtained. 

Bensalem et. al. [3] present a similar framework for generating abstractions. 
Here, the invariant to be proved is assumed when generating the abstraction, 
yielding a better abstract system. 

From the combination point of view, all of these approaches have the ad- 
vantage of using a validity checker purely as a black box, operating only under 
the assumption of soundness; more powerful checkers will yield better abstrac- 
tions. For instance, SVC [2] (see Section 4.1) has been used to generate predicate 
abstractions as well [ 21 ]. As with invariant generation, these methods can be pa- 
rameterized by the abstract assertion language and validity checker used. Note 
that some user interaction is still necessary, in the choice of assertions for the 
abstraction basis; but the correctness of the resulting abstraction is guaranteed. 
A related method for generating abstract systems is presented in [40], intended 
for the practical analysis and debugging of complex software systems. 

These finite-state abstractions can be used to generate invariants; as noted in 
Section 5.1, the concretization of the reachable state-space of A is an invariant 
of the original system (but may be an unwieldy formula); on the other hand, 
previously proven invariants of S can be used as lemmas in the abstraction 
generation process, yielding finer abstract systems. 



7 Tight Combinations 

We now describe and classify more tiglrtly-couplecl combination methods that 
are based on abstraction; its counterpart, modularity, is only briefly mentioned 
in the interest of satisfying space constraints. 
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Abstraction Refinement: Recall that weak property preservation (Section 5) 
only guarantees that S \= <j> whenever A |= ip A ; if the abstract property fails, 
it is possible that <p does hold for S, but the abstraction was not fine enough 
to prove it. Thus, in general, abstractions must be refined in order to prove the 
desired property. In predicate abstraction, refinement occurs by performing new 
validity checks over the existing basis, or adding new assertions to the basis. 

A generic abstraction-based verification procedure for proving S (= <j> pro- 
ceeds as follows: First, an initial weakly-preserving abstraction A of S is given 
by the user or constructed automatically. If model checking A (= <p A succeeds, 
the proof is complete. Otherwise, A is used as the starting point for producing 
a finer abstraction A! , which is still weakly-preserving for S but satisfies more 
properties. This process is repeated until p is proved (if it indeed holds for S). 

At each step, the model checker produces an abstract counterexample, which 
does not necessarily correspond to any concrete computation. However, it can 
help choose the next refinement step, or serve as the basis for finding a concrete 
counterexample that indeed falsifies ip. Finding effective procedures to distin- 
guish between these two cases and perform the refinement remains an intriguing 
research problem, which is addressed by some of the methods described below. 
(In the general case, we are still faced with an undecidable problem, so no method 
can guarantee that the process will terminate.) 

Methods that combine deductive and algorithmic verification through ab- 
straction can be classified according to the following criteria: 

— whether the abstraction is constructed a priori or or dynamically refined 
(. static vs. dynamic ); 

— whether the abstraction generation is tailored specifically for the property 
of interest ( bottom-up vs. top-down)', 

— whether the process is automatic or interactive. 

Focusing on a particular formula allows for coarser abstract systems, which sa- 
tisfy fewer properties but can be easier to construct and model check. 

The automatic abstraction generation algorithms of Section 6.3 are gene- 
rally bottom-up, but can be focused towards a particular temporal property 
by including its atomic subformulas as part of the assertion basis. The tighter 
combinations described below are mostly top-down, using a mixture of model 
checking and theorem proving that is specialized to the particular temporal pro- 
perty being proved. 

7.1 Diagram-Based Formalisms 

We begin by describing a number of diagram-based verification formalisms that 
have been developed as part of the STeP project [7]. They offer deductive- 
algorithmic proof methods that are applicable to arbitrary temporal properties. 

Static Abstractions: GVD’s: The Generalized Verification Diagrams (GVD’s) 
of Browne et. al. [11] provide a graphical representation of the verification con- 
ditions needed to establish an arbitrary temporal formula, extending the specia- 
lized diagrams of Manna and Pnueli [43] . 
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A GVD serves as a proof object, but is also a weakly-preserving assertion- 
based abstraction of the system, where the basis is the set of formulas used in 
the diagram [41]. Each node in the diagram is labeled with an assertion /, and 
corresponds to an abstract state representing the set of states that satisfy /. The 
diagram d? is identified with a set of computations C(d>), and a set of verification 
conditions associated with the diagram show that C(S) C C(d>). This proves, 
deductively, that <d> is a correct abstraction of S. The proof is completed by 
showing that C(d>) C C(p). This corresponds to model checking tp over when 
<P is seen as an abstract system, and is done algorithmically, viewing the diagram 
as an w-automata. 

Diagrams can be seen as a flexible generalization of the classic deductive rules. 
(As noted in, e.g., [3,37], the success of a deductive rule such as G-INV of Section 4 
implies the existence of an abstraction for which the proven property can be 
model checked.) Since the diagram is tailored to prove a particular property 
p, this can be classified as a top-down approach. Since the formalism does not 
include refinement operations in the case that the proof attempt fails, it is static. 

Dynamic Abstractions: Deductive Model Checking: Deductive Model 
Checking (DMC), presented by Sipma et. al. [57], is a method for the inter- 
active model checking of possibly infinite-state systems. To prove a property p , 
DMC searches for a counterexample computation by refining an abstraction of 
the (S,^p) product graph. 

The DMC procedure interleaves the theorem proving and model checking 
steps, refining the abstraction as the model checking proceeds. This focuses the 
theorem proving effort to those aspects of the system that are relevant to the 
property being proved. On the other hand, the expanded state-space is restricted 
by the theorem proving, so that space savings are possible even in the case of 
finite-state systems. 

Sipma [56] describes DMC, GVD’s, and their application to the verification of 
real-time and hybrid systems. The fairness diagrams of de Alfaro and Manna [22] 
present an alternate dynamic refinement method that combines the top-down 
and bottom-up approaches. 

7.2 Model Checking for Infinite- State Systems 

Abstraction is also the basis of model checking algorithms for decidable classes 
of infinite-state systems, such as certain classes of real-time and hybrid systems. 
In some cases, the exploration of a finite quotient of the state-space is sufficient. 
For others, the convergence of hxpoint operations is ensured by the right choice 
of abstract assertion language, such as polyhedra [30] or Presburger arithmetic 
[13]. The underlying principles are explored in [26,31]. 

A number of “local model checking” procedures for general infinite-state 
systems, such as that of Bradfield and Stirling [10], are also hybrid combinations 
of deductive verification rules and model checking. Another top-down approach is 
presented by Damm et. al. [19] as a “truly symbolic” model checking procedure, 
analyzing the separation between data and control. A tableau-based procedure 
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for VCTL generates the required verification conditions in a top-down, local 
manner, similarly to DMC. 

Model Checking and Static Analysis: The relationship between model 
checking and abstract interpretation continues to be the subject of much re- 
search. Static program analysis methods based on abstract interpretation have 
been recently re-formulated in terms of model checking. For instance, Schmidt 
and Steffen [55] show how many program analysis techniques can be understood 
as the model checking of particular kinds of abstractions. 

ESC [23] and Nitpick [34] are tools that automatically detect errors in soft- 
ware systems by combining static analysis and automatic theorem proving me- 
thods. Another challenge is to further combine program analysis techniques with 
formal verification and theorem proving (see [52]). 

Finally, we note that there is also much work on applying abstraction to 
finite- state systems, particularly large hardware systems. Abstracting from the 
finite-state to an infinite- state abstract domain has proved useful here, namely, 
using uninterpreted function symbols and symbolically executing the system 
using a decidable logic, as shown, e.g., by Jones et. al. [35]. 



7.3 Integrated Approaches 

A number of verification environments and methodologies have been proposed 
that combine the above ingredients in a systematic way. 

As mentioned above, STeP [7] includes deductive verification, generalized 
verification diagrams, symbolic and explicit-state model checking, abstraction 
generation, and automatic invariant generation, which share a common system 
and property specification language. To this, modularity and compositional ve- 
rification are being added as well — see Finkbeiner et. al. [27]. 

Dingel and Filkorn [25] apply abstraction and error trace analysis to infinite- 
state systems. The abstract system is generated automatically given a data ab- 
straction that maps concrete variables and functions to abstract ones. If an 
abstract counterexample is found that does not correspond to a concrete one, an 
assumption that excludes this counterexample is generated. This is a temporal 
formula that should hold for the concrete system S. The model checker, which 
takes such assumptions into account, is then used again. The process is iterated 
until a concrete counterexample is found, or model checking succeeds under a 
given set of assumptions. In the latter case, the assumptions are deductively 
verified over the concrete system. If they hold, the proof is complete. 

Rusu and Singerman [53] present a framework that combines abstraction, 
abstraction refinement and theorem proving specialized to the case of invariants, 
where the different components are treated as “black boxes.” After an assertion- 
based abstraction is generated (using the method of Graf and Saidi [28]), abstract 
counterexamples are analyzed to refine the abstraction or produce a concrete 
counterexample. Conjectures generated during the refinement process are given 
to the theorem prover, and the process repeated. 
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A similar methodology is proposed by Saidi and Shankar [54]. The ongoing 
Symbolic Analysis Laboratory (SAL) project at SRI [52] proposes a collection 
of multiple different analysis tools, including theorem provers, model checkers, 
abstraction and invariant generators, that communicate through a common lan- 
guage in a blackboard architecture. 

An Abstraction-Based Proposal: Table 2 summarizes the classification of 
the abstraction-based methods discussed in this section. For general infinite-state 
systems, the automatic methods are incomplete, and the complete methods are 
interactive. 



Table 2. Classification of some combination methods based on abstraction 



Method 


refinement? uses ip? automatic? 


Static Analysis and Invariant Generation 
(Abstract Interpretation) 

(Generalized) Verification Diagrams 
(includes verification rules) 

Deductive Model Checking 
Fairness Diagrams 
Infinite-state Model Checking 


static bottom-up automatic 

static top-down interactive 

dynamic top-down interactive 
dynamic [both] interactive 

dynamic top-down [both] 



In [58], this author proposes combining these approaches by exploiting their 
common roots in abstraction. Each different proof attempt (including failed ones) 
and static analysis operation provides additional information about the system 
being verified. This information can be captured, incrementally, as an extended 
finite- state abstraction, which includes information about fairness constraints 
and well-founded orders over the original system. Once generated, these abstrac- 
tions can be combined and re-used, given a (correspondingly extended) model 
checker to reason about them. 

Thus, abstractions can serve as the repository for all the information about 
the system that is shared by the different components. An important challenge is 
to manage and combine abstractions from different domains, finding a common 
language to express them. 

The tight integration found in DMC’s and GVD’s (Section 7.1) is an obstacle 
for their implementation using off-the-shelf tools. However, it allows for more 
detailed user input and feedback. Given tools whose input is expressive and 
flexible enough, such as a model checker for the extended abstractions, it will be 
possible to implement such tightly coupled methods in a more modular way. 

The abstraction framework has the advantage of leaving the combinatorial 
problems to the automatic tools, as well as getting the most out of the automatic 
theorem-proving tools; the user can then focus on defining the right abstractions 
and guiding their refinement, until a proof or counterexample are found. We 
believe that such approaches will lead to more automated, lightweight and useful 
verification tools. 
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Abstract. This paper describes a high-level implementation of the con- 
current constraint functional logic language Curry. The implementation, 
directed by the lazy pattern matching strategy of Curry, is obtained by 
transforming Curry programs into Prolog programs. Contrary to pre- 
vious transformations of functional logic programs into Prolog, our im- 
plementation includes new mechanisms for both efficiently performing 
concurrent evaluation steps and sharing common subterms. The practical 
results show that our implementation is superior to previously proposed 
similar implementations of functional logic languages in Prolog and is 
competitive w.r.t. lower-level implementations of Curry in other target 
languages. 

An noteworthy advantage of our implementation is the ability to im- 
mediately employ in Curry existing constraint solvers for logic program- 
ming. In this way, we obtain with a relatively modest effort the implemen- 
tation of a declarative language combining lazy evaluation, concurrency 
and constraint solving for a variety of constraint systems. 



1 Introduction 

The multi-paradigm language Curry [12,18] seamlessly combines features from 
functional programming (nested expressions, lazy evaluation, lriglrer-order func- 
tions), logic programming (logical variables, partial data structures, built-in se- 
arch), and concurrent programming (concurrent evaluation of expressions with 
synchronization on logical variables). Moreover, the language provides both the 
most important operational principles developed in the area of integrated func- 
tional logic languages: “residuation” and “narrowing” (see [10] for a survey on 
functional logic programming). 

Curry’s operational semantics (first described in [12]) combines lazy reduc- 
tion of expressions with a possibly non-deterministic binding of free variables 
occurring in expressions. To provide the full power of logic programming, (equa- 
tional) constraints can be used in the conditions of function definitions. Basic 
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constraints can be combined into complex constraint expressions by a concur- 
rent conjunction operator that evaluates constraints concurrently. Thus, purely 
functional programming, purely logic programming, and concurrent (logic) pro- 
gramming are obtained as particular restrictions of this model [12]. 

In this paper, we propose a high-level implementation of this computation 
model in Prolog. This approach avoids the complex implementation of an ab- 
stract machine (e.g., [16]) and is able to reuse existing constraint solvers available 
in Prolog systems. In the next section, we review the basic computation model 
of Curry. The transformation scheme for compiling Curry programs into Pro- 
log programs is presented in Section 3. Section 4 contains the results of our 
implementation. Section 5 discusses related work and contains our conclusions. 

2 The Computation Model of Curry 

This section outlines the computation model of Curry. A formal definition can 
be found in [12,18]. 

The basic computational domain of Curry is, similarly to functional or logic 
languages, a set of data terms constructed from constants and data constructors. 
These are introduced by data type declarations such as: 1 

data Bool = True I False 
data List a = [] la: List a 

True and False are the Boolean constants. [] (empty list) and : (non-empty 
list) are the constructors for polymorphic lists (a is a type variable ranging 
over all types and the type List a is usually written as [a] for conformity with 
Haskell) . A data term is a well- formed expression containing variables, constants 
and data constructors, e.g., True: [] or [x,y] (the latter stands for x: (y: [] )). 

Functions are operations on data terms whose meaning is specified by 
(■ conditional ) rules of the general form “Z I c = r where vs free”. I has the 
form / ti . . . t n , where / is a function, are data terms and each variable 

occurs only once. The condition c is a constraint, r is a well-formed expression 
that may also contain function calls, vs is the list of free variables that occur 
in c and r, but not in l. The condition and the where part can be omitted if 
c and vs are empty, respectively. A constraint is any expression of the built-in 
type Constraint. Primitive constraints are equations of the form ei=: = e 2 - A 
conditional rule is applied only if its condition is satisfiable. A Curry program is 
a set of data type declarations and rules. 

Example 1. Together with the above data type declarations, the following rules 
define operations to concatenate lists and to find the last element of a list: 

cone [] ys = ys 

cone (x:xs) ys = x : cone xs ys 

1 Curry has a Haskell-like syntax [25], i.e., (type) variables and function names start 
with lowercase letters and the names of type and data constructors start with an 
uppercase letter. Moreover, the application of / to e is denoted by juxtaposition 

(“/ e”). 
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last xs I cone ys [x] =:= xs = x where x,ys free 
If “cone ys [x] =:= xs” is solvable, then x is the last element of list xs. □ 



Functional programming: In functional languages, the interest is in computing 
values of expressions, where a value does not contain function symbols (i.e., it 
is a data term) and should be equivalent (w.r.t. the program rules) to the initial 
expression. The value can be computed by replacing instances of rules’ left sides 
with corresponding instances of right sides. For instance, we compute the value 
of “cone [1] [2]” by repeatedly applying the rules for concatenation to this 
expression: 

cone [1] [2] — > l:(conc [] [2]) — > [1,2] 

Curry is based on a lazy (outermost) strategy, i.e., the selected function call in 
each reduction step is outermost among all reducible function calls. This strategy 
supports computations with infinite data structures and a modular programming 
style with separation of control aspects. Moreover, it yields optimal computations 
[5] and a demand-driven search method [15] for the logic part of a program which 
will be discussed next. 

Logic programming: In logic languages, an expression (or constraint) may contain 
free variables. A logic programming system should compute solutions, i.e., find 
values for these variables such that the expression (or constraint) is reducible 
to some value (or satisfiable) . Fortunately, this requires only a minor extension 
of the lazy reduction strategy. The extension deals with non-ground expressions 
and variable instantiation: if the value of a free variable is demanded by the 
left-hand sides of some program rules in order to continue the computation (i.e., 
no program rule is applicable if the variable remains unbound), the variable is 
bound to all the demanded values. For each value, a separate computation is 
performed. For instance, if the function f is defined by the rules 

f 0 = 2 

f 1 = 3 

(the integer numbers are considered as an infinite set of constants), then the 
expression “f x”, with x a free variable, is evaluated to 2 by binding x to 0, or 
it is evaluated to 3 by binding x to 1. Thus, a single computation step may yield 
a single new expression ( deterministic step ) or a disjunction of new expressions 
together with the corresponding bindings (non- deterministic step). For induc- 
tively sequential programs [3] (these are, roughly speaking, function definitions 
with one demanded argument), this strategy is called needed narrowing [5]. Nee- 
ded narrowing computes the shortest successful derivations (if common subterms 
are shared) and minimal sets of solutions. Moreover, it is fully deterministic for 
expressions that do not contain free variables. 

Constraints: In functional logic programs, it is necessary to solve equations bet- 
ween expressions containing defined functions (see Example 1). In general, an 
equation or equational constraint e\=: = e 2 is satisfied if both sides e\ and e 2 are 
reducible to the same value (data term). As a consequence, if both sides are 
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undefined (non-terminating), then the equality does not hold. 2 Operationally, 
an equational constraint ei=: = e 2 is solved by evaluating e\ and e 2 to unifiable 
data terms, where the lazy evaluation of the expressions is interleaved with the 
binding of variables to constructor terms [21]. Thus, an equational constraint 
ei = : = e 2 without occurrences of defined functions has the same meaning (unifi- 
cation) as in Prolog. Curry’s basic kernel only provides equational constraints. 
Constraint solvers for other constraint structures can be conceptually integrated 
without difficulties. The practical realization of this integration is one of the 
goals of this work. 

Concurrent computations: To support flexible computation rules and avoid an 
uncontrolled instantiation of free argument variables, Curry gives the option 
to suspend a function call if a demanded argument is not instantiated. Such 
functions are called rigid in contrast to flexible functions — those that instantiate 
their arguments when the instantiation is necessary to continue the evaluation 
of a call. As a default easy to change, Curry’s constraints (i.e., functions with 
result type Constraint) are flexible whereas non-constraint functions are rigid. 
Thus, purely logic programs (where predicates correspond to constraints) behave 
as in Prolog, and purely functional programs are executed as in lazy functional 
languages, e.g., Haskell. 

To continue a computation in the presence of suspended function calls, con- 
straints are combined with the concurrent conjunction operator &. The constraint 
ci & C 2 is evaluated by solving ci and C 2 concurrently. 

A design principle of Curry is the clear separation of sequential and concur- 
rent activities. Sequential computations, which form the basic units of a pro- 
gram, are expressed as usual functional (logic) programs and are composed into 
concurrent computation units via concurrent conjunctions of constraints. This 
separation supports the use of efficient and optimal evaluation strategies for the 
sequential parts. Similar techniques for the concurrent parts are not available. 
This is in contrast to other more fine-grained concurrent computation models 
like AKL [19], CCP [27], or Oz [28], 

Monadic I/O: To support real applications, the monadic I/O concept of Haskell 
[29] has been adapted to Curry to perform I/O in a declarative manner. In the 
monadic approach to I/O, an interactive program is considered as a function 
computing a sequence of actions which are applied to the outside world. An 
action has type “10 a”, which means that it returns a result of type a whe- 
never it is applied to a particular state of the world. For instance, getChar, 
of type “10 Char”, is an action whose execution, i.e., application to a world, 
reads a character from the standard input. Actions can be composed only se- 
quentially in a program and their composition is executed whenever the main 
program is executed. For instance, the action getChar can be composed with 
the action putChar (which has type Char -> 10 () and writes a character 
to the terminal) by the sequential composition operator >>= (which has type 
10 a -> ( a -> 10 (3) -> 10 ft). Thus, “getChar »= putChar” is a compo- 

2 This notion of equality, known as strict equality [9,22], is the only reasonable notion 
of equality in the presence of non-terminating functions. 
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sed action which prints the next character of the input stream on the screen. The 
second composition operator, >>, is like >>=, but ignores the result of the first 
action. Furthermore, done is the “empty” action which does nothing (see [29] for 
more details). For instance, a function which takes a string (list of characters) 
and produces an action that prints the string to the terminal followed by a new 
line is defined as follows: 
putStrLn [] = putChar ’ \n’ 

putStrLn (c:cs) = putChar c >> putStrLn cs 

In the next section, we will describe a transformation scheme to implement this 
computation model in Prolog. 



3 A Transformation Scheme for Curry Programs 

As mentioned above, the evaluation of nested expressions is based on a lazy stra- 
tegy. The exact strategy is specified via definitional trees [3], a data structure for 
the efficient selection of the outermost reducible expressions. Direct transforma- 
tions of definitional trees into Prolog (without an implementation of concurrency 
features) have been proposed in [2,4,11,21]. Definitional trees deal with arbitra- 
rily large patterns and use the notion of “position” (i.e., a sequence of positive 
integers) to specify the subterm where the next evaluation step must be perfor- 
med. We avoid this complication and obtain a simpler transformation by first 
compiling definitional trees into case expressions as described, e.g., in [14], Thus, 
each function is defined by exactly one rule in which the right-hand side con- 
tains case expressions to specify the pattern matching of actual arguments. For 
instance, the function cone in Example 1 is transformed into: 
cone xs ys = case xs of [] -> ys 

(z:zs) -> z : cone zs ys 

A case expression is evaluated by reducing its first argument to a head normal 
form , i.e., a term which has no defined function symbol at the top, and mat- 
ching this reduced term with one of the patterns of the case expression. Case 
expressions are used for both rigid and flexible functions. Operationally, case 
expressions are used for rigid functions only, whereas flexcase expressions are 
used for flexible functions. The difference is that a case expression suspends if 
the head normal form is a free variable, whereas a flexcase expression (don’t 
know non-deterministically) instantiates the variable to the different construc- 
tors in the subsequent patterns. 

To implement functions with overlapping left-hand sides (where there is no 
single argument on which a case distinction can be made), there is also a dis- 
junctive expression “ei or ef” meaning that both alternatives are don’t know 
non-deterministically evaluated. 3 For instance, the function 
0 * x = 0 
x * 0 = 0 

3 In the implementation described in this paper, don’t know non-determinism is im- 
plemented via backtracking as in Prolog. 
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is transformed into the single rule 

x * y = or (flexcase x of 0 -> 0) 

(flexcase y of 0 -> 0) 

under the assumption that is a flexible operation. 

Transformation schemes for programs where all the functions are flexible have 
been proposed in [2,4,11,21]. These proposals are easily adaptable to our repre- 
sentation using case and or expressions. The challenge of the implementation 
of Curry is the development of a transformation scheme that provides both the 
suspension of function calls and the concurrent evaluation of constraints (which 
will be discussed later) . 



3.1 Implementing Concurrent Evaluations 

Most of the current Prolog systems support coroutining and the delaying of lite- 
rals [23] if some arguments are not sufficiently instantiated. One could use these 
features to provide the suspension, when required, of calls to rigid functions. Ho- 
wever, in conditional rules it is not sufficient to delay the literals corresponding 
to suspended function calls. One has to wait until the condition has been com- 
pletely proved to avoid introducing unnecessary computations or infinite loops. 
The following example helps in understanding this problem. 

Example 2. Consider the function definitions 
fxy|gx=:=y =hy 

g □ = □ 

h □ = □ 

h (z:zs) = h. zs 

where g is rigid and h is flexible. To evaluate the expression “f x y” (where 
x and y are free variables), the condition “g x =:= y” must be proved. Since 
g is rigid, this evaluation suspends and the right-hand side is not evaluated. 
However, if we only delay the evaluation of the condition and proceed with the 
right-hand side, we run into an infinite loop by applying the last rule forever. 
This loop is avoided if x is eventually instantiated by another thread of the entire 
computation. □ 

To explain how we solve this problem we distinguish between sequential and 
concurrent computations. A sequential computation is a sequence of calls to 
predicates. When a call is activated, it may return for two reasons: either the 
call’s computation has completed or the call’s computation has been suspended 
or delayed. In a sequential computation, we want to execute a call only if the 
previous call has completed. Thus, we add an input argument and an output 
argument to each predicate. Each argument is a variable that is either unin- 
stantiated or bound to a constant- by convention the symbol eval that stand 
for “fully evaluated” . We use these arguments as follows. In a sequential com- 
putation, the call to a predicate is executed if and only if its input argument 
is instantiated to eval. Likewise, a computation has completed if and only if 




Compiling Multi-paradigm Declarative Programs into Prolog 177 



its output argument is instantiated to eval. As one would expect, we chain the 
output argument of a call to the input argument of the next call to ensure the 
sequentiality of a computation. 

The activation or delay of a call is easily and efficiently controlled by block 
declarations. 4 For instance, the block declaration block f (?,?,?,-,?)” 
specifies that a call to f is delayed if the fourth argument is a free variable. 
According to the scheme just described, we obtain the following clauses for the 
rules defining the functions f and g above: 5 
block f (?,?,?,-,?) . 

f (X,Y, Result ,Ein,Eout) eq(g(X) , Y,Ein,El) , h(Y, Result , El ,Eout) . 
block g(?, ?,-,?) . 

g (X, Result ,Ein,Eout) hnf (X,HX,Ein,El) , g_l (HX, Result , El ,Eout) . 

block g_l(-, ?,?,?), g_l(?, 
g_l([] , [] ,E,E) . 

The predicate hnf computes the head normal form of its first argument. If ar- 
gument HX of g is bound to the head normal form of X, we can match this head 
normal form against the empty list with the rule for g_l. 

We use block declarations to control the rigidity or flexibility of functions, 
as well. Since g is a rigid function, we add the block declaration g_l(-, ?,?,?) 
to avoid the instantiation of free variables. A computation is initiated by set- 
ting argument Ein to a constant, i.e., expression (f x y) is evaluated by goal 
f (X , Y , Result , eval , Eout ) . If Eout is bound to eval, the computation has com- 
pleted and Result contains the computed result (head normal form). 

Based on this scheme, the concurrent conjunction operator & is straightfor- 
wardly implemented by the following clauses (the constant success denotes the 
result of a successful constraint evaluation) : 

&(A,B, success, Ein, Eout) hnf (A, HA, Ein, El) , hnf (B,HB,Ein,E2) , 

waitconj (HA,HB,El,E2,Eout) . 

?- block waitconj (?,?,-,?,?) , waitconj (?,?,?,-,?) . 
waitconj (success, success, _,E,E) . 

As one can see, predicate waitconj waits for the solution of both constraints. 

The elements of our approach that most contribute to this simple trans- 
formation of Curry programs into Prolog programs are the implementation of 
concurrency and the use of both case and or expressions. Each function is trans- 
formed into a corresponding predicate to compute the head normal form of a 
call to this function. As shown above, this predicate contains additional argu- 
ments for storing the head normal form and controlling the suspension of function 
calls. Case expressions are implemented by evaluating the case argument to head 

4 An alternative to block is freeze which leads to a simpler transformation scheme. 
However, our experiments indicate that freeze is a more expensive operation (at 
least in Sicstus-Prolog Version 3^5). Using freeze, the resulting Prolog programs 
were approximately six times slower than using the scheme presented in this paper. 

5 As usual in the transformation of functions into predicates, we transform n-ary 
functions into n+ 1-ary predicates where the additional argument contains the result 
of the function call. 
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normal form. We use an auxiliary predicate to match the different cases. The 
difference between flexcase and case is only in the block declaration for the 
case argument, “or” expressions are implemented by alternative clauses and all 
other expressions are implemented by calls to predicate hnf, which computes 
the head normal form of its first argument. Thus, function cone in Example 1 
is transformed into the following Prolog clauses: 
block conc(?, . 

conc(A,B,R,Ein,Eout) hnf (A,HA,Ein,El) , conc_l (HA,B,R,E1 ,Eout) . 

block conc_l (-,?,?,?,?) , conc_l (?,?,?,-,?) . 
conc_l([] , Ys ,R,Ein,Eout) hnf(Ys ,R,Ein,Eout) . 

conc_l ( [Z I Zs] , Ys ,R,Ein,Eout) : - hnf ( [Z I cone (Zs , Ys)] ,R,Ein,Eout) . 
Should cone be a flexible function, the block declaration conc_l (-,?,?,?, ?) 
would be omitted, but the rest of the code would be unchanged. The definition 
of hnf is basically a case distinction on the different top-level symbols that can 
occur in an expression and a call to the corresponding function if there is a 
defined function at the top (compare [11,21]). 

Although this code is quite efficient due to the first argument indexing of 
Prolog implementations, it can be optimized by partially evaluating the calls to 
hnf, as discussed in [4,11]. Further optimizations could be done if it is known 
at compile time that the evaluation of expressions will not cause any suspension 
(e.g., when all arguments are ground at run time). In this case, the additional 
two arguments in each predicate and the block declarations can be omitted and 
we obtain the same scheme as proposed in [11]. This requires static analysis 
techniques for Curry which is an interesting topic for further research. 



3.2 Implementing Sharing 

Every serious implementation of a lazy language must implement the sharing of 
common subterms. For instance, consider the rule 
double x = x + x 

and the expression “double (1+2)”. If the two occurrences of the argument 
x in the rule’s right-hand side are not shared, the expression 1+2 is evaluated 
twice. Thus, sharing the different occurrences of a same variable avoids unneces- 
sary computations and is the prerequisite for optimal evaluation strategies [5]. 
In low level implementations, sharing is usually obtained by graph structures 
and destructive assignment of nodes [26] . Since a destructive assignment is not 
available in Prolog, we resort to Prolog’s sharing of logic variables. This idea has 
been applied, e.g., in [8,11,20] where the predicates implementing functions are 
extended by a free variable that, after the evaluation of the function call, is in- 
stantiated to the computed head normal form. Although this avoids the multiple 
evaluation of expressions, it introduce a considerable overhead when no common 
subterms occur at run time — in some cases more than 50%, as reported in [11]. 
Therefore, we have developed a new technique that causes no overhead in all 
practical experiments we performed. As seen in the example above, sharing is 
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only necessary if terms are duplicated by a variable having multiple occurren- 
ces in a condition and/or right-hand side. Thus, we share these occurrences by 
a special share structure containing the computed result of this variable. For 
instance, the rule of double is translated into 
double (X,R,E0, El) hnf (share(X,EX,RX)+share(X,EX,RX) ,R,E0,E1) . 
In this way, each occurrence of a left-hand side variable X with multiple occur- 
rences in the right-hand side is replaced by share (X, EX ,RX), where RX contains 
the result computed by evaluating X. EX is bound to some constant if X has been 
evaluated. EX is necessary because expressions can also evaluate to variables in 
a functional logic language. Then, the definition of hnf is extended by the rule: 
hnf ( share (X, EX, RX) ,RX,E0,E1) !, 

(nonvar(EX) -> E1=E0 

; hnf (X,HX,E0,E1) , EX=eval, propagateShare(HX,RX)) . 
where propagateShare(HX,RX) puts share structures into the arguments of HX 
(yielding RX) if HX is bound to a structure and the arguments are not already 
shared. 

This implementation scheme has the advantage that the Prolog code for ru- 
les without multiple variable occurrences remains unchanged and consequently 
avoids the overhead for such rules (in contrast to [8,11,20]). The following table 
shows the speedup (i.e., the ratio of runtime without sharing over runtime with 
sharing), the number of reduction steps without (RSI) and with sharing (RS2), 
and the number of shared variables (SV) in the right-hand side of rules of pro- 
grams we benchmarked. It is worth to notice that the speedup for the first two 
goals reported in [11], which uses a different technique, is 0.64 (i.e., a slowdown) 
and 3.12. These values show the superiority of our technique. 



Example: 


Speedup 


RSI 


RS2 


# sv 


10000<10000+10000 =:= True 


1.0 


20002 


20002 


0 


double (double (one 100000)) =:= 


x 4.03 


400015 100009 


1 


take 25 fibs 


6650.0 


196846 


177 


3 


take 50 primes 


15.8 


298070 


9867 


2 


quicksort (quicksort [...]) 


8.75 


61834 


3202 


2 


mergesort [ . . . ] 


91.5 


303679 


1057 


14 



Program analysis techniques are more promising with our scheme than with 
[8,11,20]. For instance, no share structures must be introduced for argument 
variables that definitely do not contain function calls at run time, e.g., arguments 
that are always uninstantiated or bound to constructor terms. 

3.3 Constraints 

Equational constraints, denoted ei=: = e 2 , are solved by lazily evaluating each 
side to unifiable data terms. In our translation, we adopt the implementation of 
this mechanism in Prolog presented in [21]. Basically, equational constraints are 
solved by a predicate, eq, which computes the head normal form of its arguments 
and performs a variable binding if one of the arguments is a variable. 
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block eq(?, 

eq(A,B,Ein,Eout) hnf (A,HA,Ein,El) , hnf (B,HB ,E1 ,E2) , 
eq_hnf (HA,HB,E2,Eout) . 

block eq_hnf (?,?,-,?) . 

eq_hnf (A,B,Ein,Eout) var(A), !, bind(A,B,Ein,Eout) . 

eq_hnf (A,B,Ein,Eout) var(B), !, bind(B,A,Ein,Eout) . 

eq_hnf (c(Xi , . . . ,X„) ,c(Yi , . . . ,Y„) ,Ein,Eout) !, 

hnf ( (Xi= : =Yi)& . . .&(X„= : =Y„) , _ ,Ein,Eout) . °/« Vn- ary constr. c 

bind(X,Y,E,E) :-var(Y), !, X=Y. 

bind(X,c(Yi , . . . ,Y„) ,Ein,Eout) !, % Vn-ary constructors c 

occurs_not(X,Yi) , . . . , occurs_not(X,Y„) , X=c(Xi , . . . ,X„) , 
hnf ( Yi , HYi , Ein , Ei ) , bind (X x , HYi , Ei , E 2 ) , 

hnf (Y„,HY n) E 2n _ 2 ,E 2rl _i) , bind(X„ ,HY„ ,E 2n _ 1 ,Eout) . 

Due to the lazy semantics of the language, the binding is performed incremen- 
tally. We use an auxiliary predicate, bind, which performs an occur check fol- 
lowed by an incremental binding of the goal variable and the binding of the 
arguments. 

Similarly, the evaluation of an expression e to its normal form, which is 
the intended meaning of e, is implemented by a predicate, nf, that repeatedly 
evaluates all e’s subexpressions to head normal form. 

Apart from the additional arguments for controlling suspensions, this scheme 
is identical to the scheme proposed in [21]. Unfortunately, this scheme generally 
causes a significant overhead when one side of the equation is a variable and the 
other side evaluates to a large data term. In this case, the incremental instan- 
tiation of the variable is unnecessary and causes the overhead, since it creates 
a new data structure and performs an occur check. We avoid this overhead by 
evaluating to normal form, if possible, the term to which the variable must be 
bound. To this aim, we replace bind with bind_trynf in the clauses of eq_hnf 
together with the following new clause: 
bind_trynf (X,T,Ein,Eout) nf (T, NT, Ein, El) , 

(nonvar(El) -> occurs_not(X,NT) , X=NT, Eout=El 
; bind(X,T,Ein,Eout) ) . 

If the evaluation to normal form does not suspend, the variable X is bound to the 
normal form by X=NT, otherwise the usual predicate for incremental binding is 
called. Although this new scheme might cause an overhead due to potential re- 
evaluations, this situation did not occur in all our experiments. In some practical 
benchmarks, we have measured a speedup up to a factor of 2. 

The compilation of Curry programs into Prolog greatly simplifies the integra- 
tion of constraint solvers for other constraint structures, if the underlying Prolog 
system offers solvers for these structures. For instance, Sicstus-Prolog includes a 
solver for an arithmetic constraint over reals, which is denoted by enclosing the 
constraint between curly brackets. E.g., goal {3.5=1.7+X} binds X to 1.8. We 
make these constraints available in Curry by translating them into the corre- 
sponding constraints of Sicstus-Prolog. For instance, the inequational constraint 
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ei<e 2 is translated as follows. First, ei and e 2 , which might contain user-defined 
functions or might be variables, are evaluated to their (head) normal forms, say 
e\ and e' 2 . Then, the goal is called. With this technique, all constraint 

solvers available in Sicstus-Prolog become available in Curry. 

3.4 Further Features 

Curry supports standard higher-order constructs such as lambda abstractions 
and partial applications. In Prolog, the higher-order features of Curry are im- 
plemented according to Warren’s original proposal [30] to translate higher-order 
constructs into first-order logic programming. A lambda abstraction is elimina- 
ted by transforming it into a top-level definition of a new function. Consequently, 
the fundamental lriglrer-order construct is a binary function, apply, which ap- 
plies its first argument, a function, to its second argument, the function’s in- 
tended argument. For each n-ary function or constructor f , we introduce n — 1 
constructors with the same name. This enables us to implement the application 
function with the following Prolog clauses: 
apply (f (Xi, . . . ,X fc ) ,X,f (Xi, . . . ,X fc ,X) ,E,E) . / 0 < k < n - 1 

apply (f (Xi, . . . ,X„_i) , X ,H , EO , E) hnf (f (Xi, . . . ,X„_i,X) ,H,E0,E) . 

Note that predicate apply should be called only for partial applications or ap- 
plications where it is known at compile time that the first argument is not a 
defined function or a constructor. In other words, all first-order calls are directly 
translated without using apply as shown in the previous sections. This imple- 
mentation of apply has the advantage that the unique matching clause is found 
in constant time due to the first argument indexing of Prolog systems. Although 
the number of apply clauses could be high for large applications, and there are 
alternative schemes that avoid this problem (e.g., [24]), we have found that this 
scheme causes no problems for programs with several hundred functions. 

Monadic I/O is easily implemented by introducing a special constructor (de- 
noted by “$io”) to hold the result of an I/O action. For instance, getChar is 
implemented as a procedure which reads a character, c, from standard input 
and returns the term “$io c” whenever it is evaluated. With this approach, 
both sequential composition operators >>= and >> for actions are defined by: 
($io x) >>= fa = fa x 
($io _) >> b = b 

Thus, the first action is evaluated to head normal form before the second action 
is applied. This simple implementation has, however, a pitfall. The result of an 
I/O action should not be shared, otherwise I/O actions will not be executed 
as intended. For instance, the expressions “putChar ’X’ >> putChar ’X’” and 
“let a = putChar ’X’ in a >> a” are equivalent but would produce different 
results with sharing. Luckily, the intended behavior can be obtained by a slight 
change of the definition of hnf so that terms headed by $io are not shared. 

The primitives of Curry to encapsulate search and define new search strate- 
gies [17] cannot be directly implemented in Prolog due to its fixed backtracking 
strategy. However, one can implement some standard depth-first search strate- 
gies of Curry via Prolog’s findall and bagof primitives. 
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4 Experimental Results 

We have developed a compiler from Curry programs into Prolog programs 
(Sicstus-Prolog Version 3#5) based on the principles described in this paper. 
The practical results are quite encouraging. For instance, the execution of the 
classic “naive reverse” benchmark is executed at the speed of approximately 
660,000 rule applications per second on a Linux-PC (Pentium II, 400 Mhz) with 
Sicstus-3 (without native code). Note that Curry’s execution with a lazy strategy 
is costlier than Prolog’s execution. Although the development of the compiler is 
relatively simple, due to the transformation schemes discussed in the paper, our 
implementation is competitive w.r.t. other high-level and low-level implemen- 
tations of Curry and similar functional logic languages. We have compared our 
implementation to a few other implementations of declarative multi-paradigm 
languages available to us. The following table shows the results of benchmarks 
for various features of the language. 



Program 


Prolog 


Toy 


Java-1 


Java- 2 


UPV-Curry 


revl80 


50 


110 


1550 


450 


43300 


twice 120 


30 


60 


760 


190 


40100 


qqsort20 


20 


20 


230 


45 


72000 


primes50 


80 


90 


810 


190 


>2000000 


lastrevl20 


70 


160 


2300 


820 


59700 


horse 


5 


10 


50 


15 


200 


account 


10 


n.a. 


450 


670 


2050 


chords 


220 


n.a. 


4670 


1490 


n.a. 


Average speedup: 


1.77 


23.39 


13.55 


1150.1 



All benchmarks are executed on a Sun Ultra-2. The execution times are measured 
in milliseconds. The column “Prolog” contains the results of the implementation 
presented in this paper. “Toy” [7] is an implementation of a narrowing-based 
functional logic language (without concurrency) which, like ours, compiles into 
Prolog. This implementation is based on the ideas described in [21]. “Java-1” 
is the compiler from Curry into Java described in [16]. It uses JDK 1.1.3 to 
execute the compiled programs. “Java-2” differs from the former by using JDK 
1.2. This system contains a Just-in-Time compiler. Finally, UPV-Curry [1] is an 
implementation of Curry based on an interpreter written in Prolog that employs 
an incremental narrowing algorithm. 

Most of the programs, which are small, test various features of Curry. 
“revl80” reverses a list of 180 elements with the naive reverse function. 
“twicel20” executes the call “twice (rev /)” , where twice is defined by 
“twice xs = cone xs xs” and l is a list of 120 elements. “qqsort20” calls 
quicksort (defined with higher-order functions) twice on a list of 20 elements. 
“primes50” computes the infinite list of prime numbers and extracts the first 
50 elements. “Iastrevl20” computes the last element x of a list by solving the 
equation “cone xs [x] =:= rev [...]”. “horse” is a simple puzzle that needs 
some search, “account” is a simulation of a bank account that uses the concur- 




Compiling Multi-paradigm Declarative Programs into Prolog 183 



rency features of Curry, “chords”, the largest of our benchmarks, is a musical 
application [15] that uses encapsulated search, laziness, and monadic I/O. 

The comparison with Toy shows that our implementation of the concurrency 
features does not cause a significant overhead compared to a pure-narrowing- 
based language. Furthermore, the “account” example, which heavily uses con- 
current threads, demonstrates that our implementation is competitive with an 
implementation based on Java threads. Although the table indicates that our 
implementation is superior to other available systems, implementations compi- 
ling to C or machine languages may be more efficient. However, the development 
effort of these lower level implementations is much higher. 



5 Related Work and Conclusions 



The idea of implementing functional logic programs by transforming them into 
logic programs is not new. An evaluation of different implementations is presen- 
ted in [11], where it is demonstrated that functional logic programs based on 
needed narrowing are superior to other narrowing-based approaches. There are 
several proposals of compilation of needed narrowing into Prolog [4,11,21], All 
these approaches lack concurrent evaluations. Moreover, the implementation of 
sharing, similar in all these approaches, is less efficient than in our proposal, as 
can be verified in the comparison table (see columns “Prolog” and “Toy”). 

Naish [24] has proposed NUE-Prolog, an integration of functions into Prolog 
programs obtained by transforming function definitions into Prolog clauses with 
additional “when” declarations, when declarations, which are similar in scope 
to the block declarations that we propose, suspend the function calls until the 
arguments are sufficiently instantiated. The effect of this suspension is that all 
functions are rigid- flexible functions are not supported. Functions intended to 
be flexible must be encoded as predicates by flattening. This approach has the 
drawback that optimal evaluation strategies [5] cannot be employed for the logic 
programming part of a program. Strict and lazy functions can be freely mixed, 
which makes the meaning of programs harder to understand (e.g., the meaning 
of equality in the presence of infinite data structures) . NUE-Prolog uses a form of 
concurrency for suspending function calls, as we do. But it is more restrictive in 
that there is no possibility to wait for the complete evaluation of an expression. 
This leads to the undesired behavior discussed in Example 2. 

Apart from the efficiency and simplicity of our transformation scheme of 
Curry into Prolog programs, the use of Prolog as a target language has further 
advantages. A high-level implementation more easily accomodates the inclusion 
of additional features. For instance, the implementation of a standard program 
tracer w.r.t. Byrd’s box model [6] requires only the addition of four clauses to 
each program and two predicate calls for each implemented function. The most 
important advantage is the reuse of existing constraint solvers available in Pro- 
log, as shown in Section 3.3. Thus, with a limited effort, we obtain a usable 
implementation of a declarative language that combines constraint solving over 
various constraint domains, concurrent evaluation and search facilities from logic 
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programming with lrigher-order functions and laziness from functional program- 
ming. The combination of laziness and search is attractive because it offers a 
modular implementation of demand-driven search strategies, as shown in [15]. 

Since the compilation time of our implementation is reasonable, 6 this Prolog- 
based implementation supports our current main development system for Curry 
programs. 7 This system has been used to develop large distributed applications 
with sophisticated graphical user interfaces and Web-based information servers 
that run for weeks without interruption (see [13] for more details). By taking 
advantage of both the features of our system and already developed code, we can 
make available on the Internet constraint programming applications in minutes. 
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Abstract. We introduce a notion of modular redundancy for theorem 
proving. It can be used to exploit redundancy elimination techniques (like 
tautology elimination, subsumption, demodulation or other more refined 
methods) in combination with arbitrary existing theorem provers, in a 
refutation complete way, even if these provers are not (or not known 
to be) complete in combination with the redundancy techniques when 
applied in the usual sense. 



1 Introduction 

The concept of saturation in theorem proving is nowadays a well-known, widely 
recognized useful concept. The main idea of saturation is that a theorem proving 
procedure does not need to compute the closure of a set of formulae w.r.t. a 
given inference system, but only the closure up to redundancy. Examples of 
early notions of redundancy (in the context of resolution) are the elimination 
of tautologies and subsumption. Baclrmair and Ganzinger gave more general 
abstract notions of redundancy for inferences and formulae (see, e.g., [BG94]), 
where, roughly, something is redundant if it is a logical consequence of smaller 
logical formulae (w.r.t. a given ordering on formulae). In provers based on ordered 
resolution, paramoclulation or superposition w.r.t. a total reduction ordering 
on ground terms >, apart from standard methods like removing tautologies, 
subsumption, or demodulation w.r.t. >, these abstract redundancy notions cover 
a large number of other practical techniques [NN93,GNN98]. 

However, in other contexts refutation completeness is lost if such redundancy 
elimination methods are applied. For example, the elimination of certain clas- 
ses of tautologies is incompatible with logic programming with equality and 
arbitrary selection rules [Lyn97] and it is also incompatible with strict superpo- 
sition [BG98]. Another situation where even less redundancy can be used is in 
the context of paramodulation with non-monotonic orderings [BGNR99] , which 
is needed when monotonic orderings are not available, like in Knuth-Bendix com- 
pletion of arbitrary terminating term rewrite systems, or in deduction modulo 
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certain equational theories E for which no monotonic E-compatible orderings 
exist. Apart from these situations where it is known that the standard redun- 
dancy techniques cannot be used, there is also a large number of other cases 
where the compatibility with redundancy is unknown, or where for the com- 
pleteness proof techniques applied it is unclear how to extend them to include 
redundancy, or where the theorem proving method is simply not based on the 
closure under a set of inference rules. 

For all these cases our aim is to provide here modular notions of redundancy. 
Assume we have an unsatisfiable initial set of formulae So, and we want to prove 
its unsatisfiability by some refutation complete prover V that is a “black box”, 
i.e. , apart from its refutation completeness nothing is known about it. In par- 
ticular, nothing is known about its compatibility w.r.t. redundancy elimination 
methods. In principle, the prover V may be based on any technique, but in our 
context it will be useful that V soundly generates new formulae that are con- 
sequences from its input (this happens, for instance, if V is based on a sound 
inference system). 

Now the problem we address is: how, and up to which degree, can we still 
exploit redundancy elimination methods in this general context? 

One instance of our ideas roughly amounts to the following. Apart from the 
prover V, there is a redundancy module 1Z that works with a given arbitrary well- 
founded ordering > on formulae (this ordering > may be completely different 
from the one V uses, if V is based on some ordered inference system). The 
redundancy module 1Z keeps track of a set of formulae U that is assumed to be 
unsatisfiable. Initially, U is So- Each time a new formula is generated by V, this 
is communicated to 1Z , who uses this information to try to prove the redundancy 
of some formula F of U, i.e., it checks whether F follows from smaller (w.r.t. >) 
formulae G i, , G n that are in U or have been generated by V (or are logical 
consequences of these). Each time this is the case, a new set U is obtained by 
replacing F by G\, . . . ,G n . This fact is then communicated to V, whose aim 
becomes to refute the new U instead of the previous one. In a naive setting, V 
could simply restart with the new U, but of course one can do better. Instead, V 
can apply several techniques (that may already be implemented in V) in order to 
exploit the new situation. For example, V can apply orphan murder techniques: 
the descendants of F that have already been computed by V can be eliminated 
(although some of them can be kept if we want to completely avoid the repeated 
computation of formulae; for this, some additional bookkeeping is required). In 
this procedure, U is a finite set of formulae that decreases w.r.t. the well-founded 
multiset extension of > each time it is modified. Hence at some point of the 
procedure U will not be modified any more and its limit Uoo is obtained. If V 
computes all inferences from Uoo , then the refutation completeness of the general 
procedure follows. 

Our techniques have been conceived with first-order clausal logic in mind. 
However, note that we do not rely on any particular logic. 

This paper is structured as follows. In Section 2 we give a formal description 
of prover modules, redundancy modules, their combination and some first results. 
In Section 3 we explain how a redundancy module with the right properties can 
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be built. Section 4 explains for three cases how to build a prover module in terms 
of an existing prover. First, this is done for an (almost) arbitrary prover, in a 
rather naive way where not much power of the redundancy module is exploited. 
Second, it is done for a prover based on the closure with respect to a complete 
inference system. And third, it is done for saturation-based provers (which is 
the case in most applications, like the ones of [Lyn97], [BG98], and [BGNR99]). 
Finally in Section 5 we give some conclusions. 

2 Modular Redundancy 

We now give a formal description of prover modules, redundancy modules, their 
combination and some first results. 

Definition 1. A prover module is a procedure satisfying: 

— it takes as input a set So of formulae 

— at any point of its execution, it may receive messages of the form “replace 
F by G i, , G n ”, where F and G±, ... , G n are formulae 

— at any point of its execution, it may produce messages of the form “F has 
been deduced ”, where F is a formula 

— it may halt with output “unsatisfiable” . 



Definition 2. Let V be a prover module, and consider a given execution of V . 
We denote by So the input set of formulae, and for each k > 0 by Sk we denote 
the set Sk = Sk- i U {G i, . . . , G n }, where “replace F by G i, . . . , G n ” is the k-th 
message it receives. 

Furthermore, we denote by Uq the input set of formulae, and for each k > 0 
by Uk we denote the set Uk = (Uk - i \ {F}) U {Gi, . . . , G n }, where “replace F by 
G i, . . • , G n ” is the k-th message it receives. 

Definition 3. A prover modide V is correct w.r.t. the given logic if: 

— Sk \= F whenever V emits an output message “F has been deduced ” after 
receiving its k-th message. 

— if V halts with output “ unsatisfiable ” after receiving its k-th message then 
Sk is unsatisfiable. 



Definition 4. A prover module V is refutation complete if, for every execution 
where it receives exactly k messages, it halts with output “unsatisfiable” whenever 
Uk is unsatisfiable. 



Definition 5. A redundancy module is a procedure that satisfies: 

— it takes as input a set of formulae 

— at any point of its execution, it may produce messages of the form “replace 
F by G ± , . . . , G n ”, where F and G \ , . . . G n are formulae 
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— at any point of its execution, it may receive messages of the form “F has 
been deduced ”, where F is a formula. 

Definition 6. Let 1Z be a redundancy module, and consider a given execution 
of 1Z. We denote by Rq the input set of formulae, and for each k > 0 by Rk we 
denote the set R k = i?fc_iU{F}, where “F has been deduced” is the k-th received 
message. 



Definition 7. A redundancy module is correct if Rk |= {G i, . . . , G„} and G\, 
..., G n |= F whenever it outputs a message “replace F by G\, . . . ,G n ” after 
receiving its k-th message. 



Definition 8. A redundancy module is finitary if for every execution the number 
of output messages produced is finite. 

A prover module V can be combined with a redundancy module 1Z in the 
expected way to obtain what we will call a theorem prover: both modules receive 
the same input set of formulae, and the output messages of each one of them 
are the received messages of the other one. The theorem prover halts if and only 
if V halts. Let us remark that it is of course not our aim to discuss priority or 
synchronization issues or the like between both modules; one can simply assume 
that 7 Z uses a finite amount of cpu time initially and after each received message; 
if this time is finished 1Z (possibly after sending a message) transfers control to 
V until V emits the next message. 

Theorem 1. A correct and complete prover module in combination with a cor- 
rect and finitary redundancy module is a correct and refutation complete theorem 
prover, that is, a theorem prover that halts with output “ unsatisfiable ” if, and 
only if, the input set of formulae So is unsatisfiable. 

Proof. From the correctness of both modules it follows that for all i, all sets Si, 
Ui, and Ri are logically equivalent to So (by induction on the subindex i: the 
new formulae coming from a message that is sent are a logical consequence of 
these sets with smaller index). Since 1Z is finitary it sends only k messages, for 
some k. If So is unsatisfiable, the corresponding set Uk is unsatisfiable, and by 
completeness of V the prover will halt with output “unsatisfiable” . Conversely, 
if V halts with output “unsatisfiable” after receiving its j - th message, then, by 
correctness of V, the set Sj and hence So is unsatisfiable. □ 

3 Finitary Redundancy Modules 

Here we show how to create a finitary redundancy module, given a well-founded 
ordering > on formulae. In order to abstract from concrete algorithms and stra- 
tegies that can be used in a redundancy module, i.e., to be as general as possible, 
we first model the execution of a redundancy module by the notion of a redun- 
dancy derivation , a sequence of pairs of sets of formulae. The sets Ri correspond 
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to what we defined in the previous section. The U. t will play the role of sets 
of formulae that are known to be unsatisfiable as the set U mentioned in the 
introduction (hence the name U, for unsatisfiable). 

Definition 9. We model the execution of a redundancy module by the notion 
of a redundancy derivation, a sequence {Uq, Rq), (Ui, Ri ), . . . where all Ui and 
Ri are sets of formulae, and where the transition from a pair ( Ui,Ri ) to a pair 
(f/j+i, takes place whenever a message is received or sent: 

— Uq = Rq = Sq, where So is the input set of formulae. 

— if a message “F has been deduced ” is received then f7j + i = Ui and Ri+\ = 

Ri u {F} 

— if a message “replace F by G\...G n ” is sent then Ui+i = Ui \ {F} U 

{(Si . . . Gji} and Ri + 1 Ri- 

We now impose conditions ensuring that the redundancy module satisfies the 
correctness and finiteness requirements: 

Definition 10. Let > be a well-founded ordering on formulae. We say that a 
formula F is redundant w.r.t. > by G\ .. . G n if {Gi . . . G n } |= F and F > Gi 
for all i in 1 ... n. 

Let TZ > be a redundancy module modeled by a redundancy derivation ( Uq , Ro), 
(Ui,Ri), . . . such that if Ui+\ = Ui\ {F} U {G\ . . . G n }, i.e., a message “replace 
F by G\ . . . G n ” is sent, then 

— Ri \= {Gi . . . G n } and 

— F is a formida in Ui that is redundant by G\ . . . G n 

A practical redundancy module implementing F> can be a procedure that 
updates the set R whenever it receives a message, and keeps looking for formulae 
Gi . . . G n that can be used for proving the redundancy of some F in the set U , by 
means of (probably) well-known redundancy elimination techniques, and then 
replacing F by these Gi . . . G n . For example, one can simplify F by rewriting 
(demodulating) applying some equational formula Gi of U, and replace F by its 
simplified version Gi- In practice it will be useful to apply formulae G j. that are 
in U, since, on the one hand, this helps keeping the set U small, which will be 
useful, and on the other hand, by construction all formulae in each Ui are logical 
consequences of Ri , so this does not have to be checked. 

Theorem 2. F> is a finitary redundancy modide. 

Proof. Let denote the multiset extension of >, that is, the smallest ordering 
such that S U {F} S U {Fi , ... ,F n } whenever F > Fj for all i in 1 . . . n. The 
ordering is a well-founded ordering on finite (multi)sets of formulae whenever 
> is a well-founded ordering on formulae (see e.g., [Der87]). 

Indeed every Ui is a finite set of formulae (by induction on i: initially it is, and 
at each step only a finite number of formulae is added). Moreover U decreases 
wrt. at each message sent. Hence the number of output messages must be 
finite. □ 
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Theorem 3. TZ y is a correct redundancy module. 

Proof. ^From the definition of 1Z > , whenever a message “replace F by G\ . . . G n ” 
is sent then Ri \= G\, . . . , G n and Gi, . . . , G n (= F. This implies correctness. □ 

4 How Do We Obtain a Prover Module from a Given 
Prover 

4.1 A Prover Module from Any Prover 

It is easy to see that, in a naive way, a complete prover module can be obtained 
from any correct and refutation complete theorem prover A (with the name A 
for any): given an unsatisfiable set of formulae S as input, A halts with output 
“unsatisfiable” after finite time. The main idea is simply to restart A with the 
new set Uk every time a message “replace F by Gi, . . . , G n ” is received. 

Instead of formally defining the communications between A and the “layer” 
around it, that is, the remaining part of the prover module that uses A, we 
assume, without going into these details, that the layer knows whether A has 
inferred a formula, and that it is possible to tell A by means of the operation 
Restart(S) that it has to restart from scratch with input the set of formulae S. 

We now define the prover module in terms of the prover A. In this prover 
module there will be a set of formulae U that will play the same role as before (see 
Definition 2) and as the set U in the redundancy module. It will be maintained 
by this prover module according to this invariant. Hence, initially U is the input 
set S 0 and each time a received message “replace F by G\ . . . G n ” is treated, the 
prover module will update U by doing U := (U \ {P}) U {Gi . . . G„}. 

Summarizing, each time a message “replace F by Gi . . . G ra ” is received we 
do: U := (U\{F}) U{Gi . . . G n }, and Restart{U). Each time the prover A infers 
F, a message U F has been deduced” is sent. 

Definition 11. Let Va denote the prover module as defined above. 

Theorem 4. If A is a correct and refutationally complete prover, then Va is a 
correct and complete prover module. 

Proof. We clearly have U = Uk after the fc-th message in Va- And moreover 
Sk h U k - Then, correctness of Va follows from correctness of A and from the fact 
that A is restarted with input Uk after every received message. For completeness, 
suppose Va receives exactly k messages. We have U = Uk after the fc-tli message. 
Then, completeness of Va follows from completeness of A , given that Va just 
restarts A with input Uk after the k- th received message. □ 

It is doubtful that this naive use of A will lead to any practical usefulness, 
since restarting A from scratch is a very drastic measure that produces large 
amounts of repeated work. A possible alternative would be not to restart A 
after each received message, but restart it each n units of time for an arbitrary 
fixed n. Obviously this does not affect completeness. Another better solution is 
given in the next subsection, where no work is repeated due to restarts, and an 
important amount of unnecessary work is avoided. 
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4.2 A Prover Module Built from a Closure Prover 

Here we consider a given prover G (with the name G for closure) that is simply 
based on some correct and refutation complete inference system, and computes 
the closure w.r.t. this inference system using some strategy. Furthermore, it is 
assumed that this is done in such a way that the result is a complete prover: given 
an unsatisfiable set of formulae S as input, it halts with output “unsatisfiable” , 
since it finds a contradictory formula, denoted by □. 

In the following, this kind of prover will be called a closure prover. We will 
show that from G we can build a correct and complete prover module if G fulfils 
some minimal requirements needed in order to interact with it. The resulting 
prover module, in combination with a redundancy module, can reasonably well 
exploit our modular redundancy notions by means of orphan murder. 

We now define the prover module in terms of the prover G. 

In this prover module there will be two disjoint sets of formulae, U and P, 
that will be maintained by this prover module with the following invariants: the 
set U will play the same role as before (see Definition 2), and P is the set of 
remaining formulae stored by the prover G. Hence, initially U is the input set 
S 0 , and P is empty, and each time a received message “replace F by G\ . . . G n ” 
is treated, the prover module will update P and U by doing P := P\{Gi . . . G„} 
and U := (U\{F}) U {Gi . . . G„} (note that this may cause F to disappear from 
U UP). Similarly, each time the prover C infers a new formula F, the prover 
module will update P by doing P := P U {P}. 

Furthermore, we associate to each F in [/UP a set of sets of formulae, denoted 
by Parents(F), with the invariant that the sets {Pi,...,P n } in Parents(F) 
correspond, one to one, to the inference steps with premises Fi,...,F n and 
conclusion F that have taken place in the prover C and none of Pi , . . . , F n have 
been removed after the inference step. In order to maintain these invariants, each 
time such an inference takes place, {Pi, . . . , P„} will be added to Parents(F) if 
P already existed in UU P, and Parents(F) will be {{Pi, . . . , P n }} if P is new. 
Similarly, since we require that all formulae occurring in Parents(F) have not 
been removed afterwards from U UP, if {Pi, . . . , P„} £ Parents(F) and some F, 
is removed from U U P then the set {Pi, . . . , P„} is removed from Parents(F). 

In this context, the idea of orphan murder is the following. If for some formula 
P in P (and hence F ^ U) we have Parents(F) = 0 then P appeared because 
it was inferred, in one or more ways, by the prover G, but, for each one of these 
ways, the premises do not exist any more. Hence P itself is not needed for the 
completeness of the prover G and can be removed as well. This triggers new 
eliminations of other formulae G of P if P occurs in all sets of Parents(G ), and 
so on. We assume that each time a formula is eliminated in this way, this fact can 
be communicated to the prover G by an operation Reinove(F), which has the 
effect that G simply removes P from its data structures. This operation has its 
counterpart Add(S), which tells G to consider the formulae of a set of formulae 
S as additional input formulae. 

Expressing this in an algorithmic way, we obtain the following. Initially U is 
the input set So, and P is empty. Each time a message “replace P by G\ . . . G n ” 
is received we do: 
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{ Precondition: F £ U and Parents(F) = 0 } 

Remove(F) 

Add({G 1 ,...,G n }\(UuP)) 

P-PUGL..G4 
U:= (U\{F})\J{G 1 ...G n } 

While 3F' £ ([/UP) and 3S" £ Pcirents(F') and S' % (U U P) Do 
Parents(F') := Parents(F') \ {S"} 

If Parents(F') = 0 and F' £ P Then 
P:=P\{F'} 

Remove(F') 

Endlf 

EndWhile 



As a precondition we assume that F £ U and Parents(F) = 0 since otherwise 
completeness may be lost. This precondition can be ensured in practice by an 
additional communication mechanism between both modules, for example, by 
making the redundancy module ask permission before it sends a message. On 
the other hand, each time the prover G infers F from premises Gi . . . G n , a 
message “F has been deduced” is sent, and we do: 

If F £ (U U P) Then 

Parents(F) := Parents(F) U {{Gi, . . . , G n }} 

Else 

P:=PU{P} 

Parents(F) := {{Gi, . . . , G„}} 

Endlf 

Note that, instead of formally defining the interactions between G and the 
“layer” around it, that is, the remaining part of the prover module that uses G, 
we have assumed, without going into these details, that the layer knows whether 
G has inferred a formula from certain premises, and that it is possible to tell G 
by means of the operations Remove(F) and Add(S) that a certain formulae can 
be removed or have to be added. 

Definition 12. Let Vc denote the prover module as defined above. 

We will now prove that the prover module Vc is correct and complete. For 
this purpose we need a reasonable additional assumption on the prover G, namely 
a notion of fairness: 

Definition 13. A formida F is persistent in C if it is stored by C at some point 
and not removed by the operation remove(F) later on. 

The prover C is called fair if, whenever Gi, . . . , G n become persistent formu- 
lae at some point of the execution, and there is a possible inference with them, 
then this inference is performed after that point. 

Lemma 1. Given an execution of Vc, if G i, • • • , G n are persistent formulae in 
C ( and hence in U U P), and there is a possible inference with them producing 
F, then F is a persistent formula in C. 
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Proof. By fairness, this inference is done at some point of the execution after 
G\. ... . G n have become persistent. Furthermore {Gi,...,G„} £ Parents(F) 
at that point. Moreover {G i, . . . , G n } will remain in Parents(F). Then F will 
not be removed since Parents(F) will never be empty. □ 

Theorem 5. Vc is a correct prover module. 

Proof. Let Sk be defined as in Definition 2. Then we will show that Sk 1= (UUP) 
after the k - th received message and before a new message is received, and the 
correctness of the procedure will follow trivially. It suffices to show that this 
property is satisfied initially, and it is preserved during the execution. Initially 
UUP is So- When an inference is done, its conclusion F, which is added to P, is a 
consequence of (t/UP), and therefore, of the corresponding Sk- When a message 
is received, Sk = Sk- 1 U {Gi, . . . , G n } and nothing else but {Gi, . . . , G„} is 
added to (U U P). □ 

Lemma 2. Let Uk be defined as in Definition 2. Then Uk = U after the k-th 
received message in Vc- 

Theorem 6. Vc is a complete prover module. 

Proof. We have to show that, in an execution of our prover module with exactly k 
input messages, if Uk is unsatisfiable then the prover module halts with output 
“unsatisfiable” . By the previous lemma, Uk = U immediately after the fc-th 
received message. Furthermore, by fairness all inferences with premises in U are 
performed after the point their premises become persistent. By Lemma 1 the 
corresponding conclusions are persistent as well. All these descendants will be 
persistent (by iterating this, i.e., by induction on the number of inference steps 
required to obtain a descendant F from U). Hence all formulae in the closure of 
U w.r.t. the given inference system are indeed retained by G, which implies that 
□ will be inferred since the inference system of G is refutation complete. □ 

In this subsection we have developed the prover module in terms of a prover 
that fulfils a reasonable fairness requirement. We could have followed an alter- 
native approach, without this fairness requirement. Instead of explaining this 
alternative here for closure prover, we develop it for saturation provers in the 
next subsection. It will be clear that its application to closure provers will be a 
particular case. 

4.3 A Prover Module from a Saturation Prover 

Here we consider a standard saturation-based prover D (with the name D for 
prover with deletion of redundant formulae). Without loss of generality, such a 
prover D can be assumed to consist of some strategy controlling the application 
of only two basic operations: adding a new formula inferred by some correct de- 
duction system, and removing a formula F whose redundancy follows from other 
formulae F \, . . . , F n w.r.t. some internal redundancy criterion with the minimal 
requirement that Pi , . . . , F n (= F and a kind of transitivity property, namely if 
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F is redundant by the set of formulae F\ , . . k$F n and Fi is redundant by the set 
of formulae G 1, . . . , G m then F is redundant by the set G±, ... , G rn , F2, ... ,F n . 
Note that redundancy techniques like demodulation of F into F' can be ex- 
pressed by a combination of these two steps: first add F' (which is a logical 
consequence), then remove F (which has become redundant). 

As usual, a prover like D can be modelled by a derivation, i.e., a sequence of 
sets of formulae, of the form D 0 ,D 1, . . . where at each step the strategy decides 
by which concrete instance of one of the two basic operations -Dj+i is obtained 
from Di. Of course, this is done in such a way that the result is a complete 
prover. For technical reasons that will become clear soon, here we will make a 
reasonable additional assumption, namely that if, for a finite number of basic 
steps of the derivation (i.e., for a finite number of decisions about which basic 
step is performed next), the strategy is overruled by an external event, like user 
interaction, the prover D remains complete. Note that the usual internal fairness 
requirements of saturation-based provers are not affected by such a finite number 
of “wrong” decisions. 

As in the previous subsection, here we assume that the prover D also provides 
the operations Add and Remove, and provides information each time it infers a 
formula F from a set of premises F\, . . . , F r . In addition, here we will assume that 
each time the prover removes a formula F that is redundant by a set F \, . . . , F r , 
this will be communicated as well. 

In a practical prover, its strategy can be based on many different types of 
information (stored in data structures, like priority queues based on weighting 
functions) and that may depend on the current state as well as on historical 
information about previous states. Hence it has to be discussed how to deal 
with the external operations Add and Remove that were not foreseen when the 
strategy was developed. For instance, in a practical prover where a new formula 
F is added with the operation Add(F), this F has to be inserted in the different 
data structures on which the strategy is based. 

In the most general setting the strategy can be based on the whole history 
of the current derivation. Then the situation is as follows. Suppose that an 
operation Add or Remove takes place after step n of a derivation Do, ■ ■ ■ ,D n , 
and this operation converts D n into another set S. Of course the strategy of 
the prover cannot be expected to behave well any more if it continues based 
on the history of the derivation Do, ■ ■ ■ , D n . But fortunately, our prover module 
will only perform operations Add and Remove in such a way that another very 
similar derivation D ' 0 , . . . , D’ m exists where D' m is S. Hence it is reasonable to 
expect that the prover D will behave well if it continues with the strategy it 
would have followed if it had reached S by this alternative similar derivation. 

Therefore, we will assume that it is possible to update the internal state of 
the prover (on which its strategy is based) into the state it would be in after m 
basic steps of the alternative derivation D ' 0 , . . . , D' m . This is how we will proceed. 

However, note that, although this alternative sequence consists of j correct 
steps, it may not be a derivation with the strategy. But since we know that 
the prover D is complete even if, for a finite number of decisions, the strategy 
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is overruled by an external event, intuitively, the completeness of the prover 
module follows, since there will only be a finite number of such external events. 

We now define the prover module in terms of the prover D. Again there will 
be sets U and P and Parents(F) for each F in U UP. As before UU P contains 
the formulae kept by the prover D , but, due to the internal redundancy, U may 
not be Uk but a subset of it. In addition, each formula in UUP can also be blocked 
for external removals, i.e. , it will never be removed by a Remove(F) operation, 
and we denote by Blocked(U U P) the set of blocked formulae in U U P. In 
this case we only need the following invariant: U U Blocked(U U P) |= Uk- No 
assumption is needed about the set Parents(F) in order to prove correctness 
and completeness of the prover module. Nevertheless, as we will see at the end 
of this section, the way we deal with these sets in combination with the way 
we construct the alternative derivations will allow us in most of the cases to 
avoid repeated work. Expressing the previous ideas algorithmically, we obtain 
the following. Initially U is the input set So, and P is empty. 

Each time a message “replace F by G\ . . . G r ” is received we do: 

{ Precondition: F £ U and Parents(F) = 0 and F is not blocked } 
Remove(F) 

Add({Gi , . . . , G r } \ ([/ U P)) 

P-.= P\{G 1 ...Gr} 

U:= (U \ {E}) U {G\ . . . G r } 

While 3F' £ (U U P) and 35" £ Parents(F') and S' % {U IS P) Do 

Parents(F') := Parents(F') \ {5'} 

If Parents(F') = 0 and F' £ P and F' is not blocked Then 
P:=P\{F'} 

Remove(F') 

Endlf 

EndWhile 



The precondition is ensured as in the previous subsection. On the other hand, 
as said at the beginning of this subsection, after each Remove(F) or Add(F) 
operation, we have to update the internal state of the prover into a new state 
which can be reached by a correct derivation with the prover D ending with the 
same final set of formulae. Below, such an alternative derivation is given for each 
one of these operations. The prover is then updated into the state it would be 
in after producing the alternative derivation. 

The alternative derivation can be built in several different ways. As a general 
rule, for provers keeping more historical information it pays off to build alter- 
native derivations that mimic the past computations quite accurately in order 
to avoid repeated computations; for others, similar results will be obtained by 
shorter derivations leading to the current clause set. In any case, for the main 
results, it suffices for the moment to assume that the alternative derivation is 
defined correctly, in the sense that its final state corresponds to the current set 
of formulae stored in the prover. 
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Each time the prover D infers F from premises Gi . . . G r , a message “F has 
been deduced” is sent, and we do: 

If F& (UUP) Then 

Parents(F) := Parents(F) U {{Gi, . . . , G r }} 

Else 

P := PU{F} 

Parents(F) := {{Gi, . . . , G r }} 

Endlf 

Finally, each time the prover D removes a formula F due to its redundancy 
by a set F\ . . . F r , we do: 

Foreach F t in {Fi . . . F r } Do 
Block(Fi) 

EndForeach 

U := U \ F 
P ■= P\F 

Note that, although at this point we do not apply any orphan murder, it 
will be applied only if, later on, another “replace” message is received by the 
redundancy module, which triggers the actual Remove operations. This is done 
because we can ensure completeness only if no more than a finite number of 
Remove operations occur, and there may be an infinite number of internal re- 
dundancy steps. 

Definition 14. Let Vo denote the prover module as defined above. 

Theorem 7. Vo is a correct prover module. 

Proof. Analogous to the correctness proof of the previous section. □ 

Theorem 8. V/j is a complete prover module. 

Proof. We have to show that, in an execution of our prover module with exactly 
k input messages, if Uk is unsatisfiable then the prover module halts with output 
“unsatisfiable” . 

Since there are finitely many input messages, there are finitely many, say n, 
operations Add or Remove. Let Dq,. . . ,D m be the ?r-th alternative derivation. 
By the invariant of the process we have U U Blocked(U UP) (= Uk, therefore 
U U P is unsatisfiable. 

Finally, since there are only a finite number of steps (m) contradicting the 
strategy of the prover D, it remains complete, and hence the prover module halts 
with output “unsatisfiable”. □ 

Now it remains to define the alternative derivations. Before it was mentioned 
that for some provers it pays off to build alternative derivations that mimic the 
past computations quite accurately in order to avoid repeated computations and 
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for others perhaps not. Here we explain a way that attempts to preserve as much 
as possible the previous history. 

Suppose D \ 1 . . . , D n is the current derivation. The following additional inva- 
riant, which is necessary to prove the correctness of the alternative derivation, 
is always satisfied: all formulae in (U i<n A) \ (U U P) are internally redundant 
by Blocked{U U P). 

— an operation Add(F) takes place. Then, a new derivation, with D n U F 
as final set, is constructed as follows. There are two cases to be considered. If 
F (j Di for all i < n then we consider the derivation Z?oU{F}, • ■ • , D n U{F}. 
Otherwise, let A be the set with maximal i such that F £ A- Note that 
i < n. Hence A+i is obtained by an internal redundancy of F. Then the 
alternative derivation is D 0 , , A ■ A +2 U {F}, . . . , D n U {F}. 

— an operation Remove(F) takes place. Then, a new derivation, with D n \ 
{F} as final set, can be constructed. The new derivation D' 0 , . . . , D' m consists 
of two parts D' 0 ,...,D' k containing only inference steps and D' k ,...,D' m 
containing only internal redundancy steps. 

1. We take D' 0 as (D 0 \{F})\JCh(F), where Ch{F) denotes the set of child- 
ren of F in inferences along the sequence Do, ■ ■ ■ , D n . Let D tl , , A fc be 
the sets of the derivation obtained by an inference step where F is neither 
a premise nor a conclusion. Then D ' 0 , . . . , D' k is the derivation where Dj 
is obtained from Z)'_j by the same inference step between Aj-i and A r 
Note that all steps are correct since we have added Ch(F) to the initial 
set. Now, we have D k = (Ui<„ A) \ {-F 1 }, and hence D n \ {F} C D' k . 

2. The second part of the new derivation consists of eliminating the formu- 
lae in D' k \D n by internal redundancies. This can be done since D n \{F} 
contains all blocked formulae (F is not blocked since a Remove(F) is 
done), and, by the invariant above, all formulae in D' k \ D n are redun- 
dant by the blocked formulae. 

Regarding the aim of avoiding repeated work, a last invariant, that is also 
satisfied, shows the reason for mantaining the sets Parents(F): for all infe- 
rence steps in the derivation with premises Fi ..... F r and conclusion F, s.t. 
none of Fi, . . . , F r , F are redundant by Blocked(U U P), we have {F ±, . . . , F r } £ 
Parents(F). This invariant ensures that the only missing information in the sets 
Parents(F) (about performed inferences) involves either a premise or a conclu- 
sion that is redundant by the blocked formulae. Therefore, it is clear that some 
repeated work might be done, but, in any case, the prover could avoid it by 
means of internal redundancy steps. 

5 Conclusions 

A notion of modular redundancy for theorem proving has been introduced, that 
can be used to exploit redundancy elimination techniques in combination with 
arbitrary existing theorem provers, in a refutation complete way, even if these 
provers are not (or not known to be) complete in combination with the redun- 
dancy techniques when applied in the usual sense. 
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We have explained for three cases how to build a prover module in terms of 
an existing prover: for arbitrary provers, closure provers and saturation-based 
provers. The latter case seems to be the most general and useful one, since there 
are several practical applications where the standard general redundancy notions 
cannot be used, like [Lyn97] [BG98], and [BGNR99]. 

Especially in the case of [BGNR99], where the completeness of paramodu- 
lation w.r.t. non-monotonic orderings is proved, we believe that our modular 
redundancy results will be the method of choice. The reason is that the stan- 
dard redundancy notions should be applied w.r.t. an ordering that is built (at 
the completeness proof level) based on semantic information and hence cannot 
even be approximated in a strong enough way during the saturation process. 
Moreover, in many practical applications the existence of a monotonic ordering 
is too strong a requirement. For example, one may want to apply completion to 
a terminating set of rules with a given orientation by a reduction ordering that 
cannot be extended to a total one, like f(a) —> f(b) and g(b ) — > g(a ), for which 
a and b must be incomparable in any monotonic extension. Another typical si- 
tuation is deduction modulo built-in equational theories E, where the existence 
of a total E-compatible reduction ordering is a very strong requirement. We plan 
to do some experiments in this context with the Saturate prover [NN93,GNN98]. 
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Abstract. Reasoning theories can be used to specify heterogeneous rea- 
soning systems. In this paper we present an equational version of reaso- 
ning theories, and we study their structuring and composition, and the 
use of annotated assertions for the control of search, as mappings bet- 
ween reasoning theories. We define composability and composition using 
the notion of faithful inclusion mapping , we define annotated reasoning 
theories using the notion of erasing mapping , and we lift composability 
and composition to consider also annotations. As an example, we give 
a modular specification of the top-level control (known as waterfall ) of 
NQTHM, the Boyer-Moore theorem prover. 



1 Introduction 

Reasoning theories are the core of the OMRS (Open Mechanized Reasoning 
System(s)) framework [14] for the specification of complex, heterogeneous reaso- 
ning systems. The long-term goal of OMRS is to provide a technology which will 
allow the development, integration and interoperation of theorem provers (and 
similar systems, e.g., computer algebra systems and model checkers) in a princi- 
pled manner, with minimal changes to the existing modules. Reasoning theories 
are the Logic layer of OMRS, specifying the assertions and the rules used to de- 
rive new assertions and to build derivations. There are two other layers: Control , 
specifying the search strategies, and Interaction , specifying the primitives which 
allow an OMRS to interact with its environment. The reasoning theory frame- 
work has been used to analyze the NQTHM prover [11] and to develop a modular 
reconstruction of the high-level structure of the ACL2 prover [3] . The latter work 
augments ACL2 with the ability to construct proofs. In addition, the reasoning 
theory framework has been used as the basis of an experiment to re-engineer 
the integration of the NQTHM linear arithmetic procedure implemented as a 
re-usable separate process [1] . A formalism for the control component of OMRS 
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was developed and used to specify the control component of NQTHM [10]. The 
OMRS framework has also been used to build provably correct systems [13], and 
it has been used as the basis for integration of the Isabelle proof system and the 
Maple symbolic algebra system [4]. 

In this paper we study structuring and composition mechanisms for reaso- 
ning theories. We focus on the special case of equationally presented reasoning 
theories (ERThs). In passing to ERThs we gain concreteness, executability, and 
the availability of equational and rewriting tools, while keeping the originally en- 
visioned generality and avoiding making unnecessary ontological commitments. 
In particular, ERThs have a strong link to equational and rewriting logic [21]. 
There are increasing levels of structuring of an equationally presented reasoning 
theory: ER.tlrs, nested ERThs (NERThs), and also ERThs and NERTlrs with an- 
notated assertions for the control of search for derivations. Furthermore, there 
are horizontal theory composition operations at each level. The structuring and 
composition are formalized in terms of mappings between reasoning theories. 
Therefore, our work is in the spirit of “putting theories together” by means of 
theory mappings as advocated by Burstall and Goguen [7], that is widely used 
in algebraic specifications [2]. In order to simplify the presentation, we treat a 
restricted subcase of horizontal composition that is none-the-less adequate for 
interesting examples. A more general treatment in terms of pushouts of order- 
sorted theories [16,22,23] can be given. 

In Section 2 we define ERTHs and their composition using the notion of 
faithful inclusion mapping. We then define annotated reasoning theories using 
the notion of erasing mapping , and lift composability and composition to con- 
sider also annotations. In Section 3 this is extended to NER.ths. As an example, 
in Section 4 we give a modular specification of the NQTHM top-level control 
(known as waterfall) . In Section 5 we summarize and outline the future work. 

Notation 

We use standard notation for sets and functions. We let 0 denote the empty 
function (the function with empty domain, and whatever codomain). X* denotes 
the set of all finite lists of elements in X. [Xo — > X{\ is the set of total functions, 
/, with domain, Dom(/) = Xq, and range, Rng(/), contained in the codomain 
Xi. Let ( X , <) be a partial order. If X' C X, then < \X' is the restriction of < 
to X ' , i.e., < \X' = {(x,y) | x £ X',y £ X',x < y}. X' is downwards closed 
in X if whenever x < y and y £ X' , then x £ X' . A' is upwards closed in X if 
whenever y < x and y £ X' , then x £ X' . 

A family Z of sets over a set I is an assignment of a set Z r for each i £ I. 
This is notated by Z — {Zi} ieI and we say Z is an /-family. If I = {«} is a 
singleton, then we let Z^ stand for {Zj,} ieI . If /' C /, the restriction of Z to /' 
is defined as Z\I' = {Z If I' C. I, Z is an /-family, Z' is an /'-family, then 
Z' C Z means Z[ C Zi for i £ /'. If Zj are /^-families for j £ {1,2}, then we 
define the (h IT / 2 )-family Z x T Z 2 = {(Zi)i T (Z 2 )i} ieIin i 2 and the (h U / 2 )- 
family Z\\JZ 2 = {(Zi)iL)(Z 2 )i} iGllUl2 (where in the last expression we consider 
( Zi)i = 0 if i £ / 2 — Ii, and ( Z 2 )i = 0 if i £ h — / 2 ). 
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2 Equational Reasoning Theories 

A reasoning theory specifies a set of inference rules of the form 

l : {cn} sq => sq 

where l is the rule label, sq is the conclusion, sq is a list of premisses, and cn is 
a list of side conditions, sq and the elements of sq are elements of the set, Sq, of 
sequents specified by the reasoning theory. Sequents represent the assertions to 
be considered. We use “sequent” in a very broad sense which includes sequent 
in the Gentzen/Prawitz sense [12,24], simple formulas and judgements in the 
sense of Martin-Lof [19], as well as the complex data structures (carrying logical 
information) manipulated by the NQTHM waterfall. Elements of cn are elements 
of the set, Cn, of constraints specified by the reasoning theory. If this set is 
non-empty, then the reasoning theory also provides an inference machinery for 
deriving constraint assertions. Sequents and constraints can be schematic in the 
sense that they may contain place holders for missing parts. A reasoning theory 
also provides a mechanism for filling in missing parts: a set, I, of instantiations 
and an operation, _ [_] , for applying instantiations to schematic entities. There 
is an identity instantiation and instantiations can be composed. A reasoning 
theory determines a set of derivation structures (the OMRS notion of proof) 
formed by instantiating inference rules and linking them by matching premisses 
to conclusions. We write ds : {eh} sq => sq to indicate that ds is a derivation 
structure with conclusions the list of sequents sq' , premisses the list sq, and 
side conditions the list of constraints cn. (See [14] for a detailed description of 
reasoning theories.) 

2.1 Sequent Signatures and ERThs 

In this paper we focus on equationally presented reasoning theories (ERThs). An 
ERTlr consists of a sequent signature and a labelled set of rules of inference. A 
sequent signature consists of an equational signature, E, (the choice of equatio- 
nal logic is not so important, here for concreteness we take it to be order-sorted 
equational logic [15]) together with a sort-indexed family of variables, a set of 
equations and a distinguished set of sorts - the sequent sorts. Variables are the 
place holders and instantiations are simply sort preserving maps from variables 
to terms, applied and composed in the usual way. The equational theory just 
serves to define the sequents; deduction over such sequents is specified by the 
rules of inference of the ERTlr. Therefore, the expressivity of ERThs is by no 
means limited to first-order equational logic: other logics can be easily expressed 
(e.g., higher-order) by using suitable rules of inference (see for example forma- 
lizations of Lambda calculus [18], HOL and NuPrl [25], and the Calculus of 
Constructions [26] in the Maude Rewriting Logic implementation). 

Definition: sequent signatures. A sequent signature is a tuple eseq = 

(E,X,E,Q) where E = ( S,<,0 ) is an order-sorted equational signature in 
which S is the set of sorts, 0 is an 5*xS'-indexed family of operations, and 
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< is a partial order on 5; X is an 5-indexed family of variables; E is a set 
of U- equations; and Q C S is the set of sequent sorts. We require that Q be 
downwards and upwards closed in S . Elements of 0-g s are said to have rank s, s, 
where s is the list of argument sorts (the arity) and s is the result sort, and 
we write o : s — > s to indicate that o is an element of Oj >s . We assume that 
each set X s for s £ S is countably infinite. T eseq = T E (X) is the free order- 
sorted 17-algebra over X whose elements are terms formed from elements of X 
by applying operations of 0 to lists of terms of the appropriate argument sorts. 
For s £ S, T ese q.s is the set of eseq terms of sort s and for S' C S, T eS e q ,S' is 
the set of terms of sort s for s £ S': T eS eq,S' = UseS' T eS eq,s- We further require 
that S be coherent [15]. For our purposes this can be taken to mean that every 
connected component of the sort poset has a top element, and that there is a 
function Is : T eseq — > S mapping each term to its least sort in the partial order 

< on S. 

An equation is a pair of terms of the same sort, thus E C U sgjS T eseq s x 
T eseq s . The rules of deduction of order-sorted equational logic [15] then define 
an order-sorted 17-congruence = E on T eseq . We say that t, t' are 17-equivalent 
if t =e t' . For an eseq term t we let [t] e be the 17-equivalence class of t and for 
any set T C T eseq ,s we let {T} E be the set of 17-equivalence classes of terms in 
T. 

The set of sequents, Sq eseq , presented by eseq, is the set of equivalence classes 
of terms with sorts in Q: Sq eseq = {T eseqt Q} E . Instantiations are sort-preserving 
mappings from X to T eseq , with identity and composition defined in the obvious 
way. Their application to sequents consists in substituting terms for variables in 
members of the equivalence classes. 

Definition: rules and ERThs. The set of rules Rules eseq over a sequent 
signature eseq is the set of pairs (sq, sq) where sq £ Sq* seq and sq € Sq eseq . We 
fix a set of labels, Lab , to use for rule names. 

An ERTh, erth, is a pair ( eseq,R ) where eseq is a sequent signature and 
R : L — > Rules e seq is a function from a set of labels L C Lab to the set of rules 
over eseq. We write l : sq => sq € R if l £ L and Ril) = (sq, sq). 



2.2 Composing Sequent Signatures and ERThs 

Specifying composition of systems at the logical level amounts to specifying how 
deductions performed by the different systems relate to each other (e.g., how 
an inequality proved by a linear arithmetic decider can be used by a rewri- 
ter to rewrite a term involving an arithmetic expression). This demands that 
the ERThs of the systems to be composed share some language, and that the 
composition preserves the shared language and its meaning. We represent the 
sharing by theory mappings from the shared part to each component. We restrict 
the mappings used for composition to guarantee that composition makes sense: 
there should be a uniquely defined composite with mappings from the component 
theories that agree on the shared part, and the theory mappings should induce 
mappings that extend/restrict instantiations in a well-behaved manner, so that 
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the result is a mapping of ERThs. Here we consider a very simple but natural 
restriction with the desired properties. The general situation will be treated in 
a forthcoming paper [20] . 

Definition: faithful inclusions. Let eseqj = ((S :i . <j, Oj), Xj,Ej,Qj) be 
sequent signatures for j £ {0, 1}. A faithful inclusion arrow exists from eseq 0 to 
eseq 1 (written eseq 0 eseq : ) if 

1. S 0 C S u O 0 C Ox, X 0 C Xx, and Q 0 C Q i; 

2. Xi[So = Ao, and Q\ n So = Qo', 

3- <i |"S 0 = < 0 j and So is downwards and upwards closed in Si; 

4. any operation in 0\ with result sort in So, is in Oo; 

5. for terms t, t' in T eseqo having sorts in the same connected component of 
<o, t' £ [t] El iff t' £ [' t\ Eo ■ 

Lemma (term.restriction): If eseq 0 eseq x , then T eseQi [So = T eseQo . 

Therefore any sub-term of a term t £ T eseqit s 0 has sort in So- In fact t is an 
eseq 0 -te rm. 

Lemma (incl.transitivity): If eseq 0 eseq l and eseq 1 ^ eseq 2 , then 

eseq 0 ^ eseq 2 . 

Definition: sequent signature composition. Let eseq j = Oj), 

Xj,Ej,Qj) for j £ {0,1,2}. eseq x is composable with eseq 2 sharing eseq 0 if 
eseq 0 ^ eseqj for j £ {1,2} are faithful inclusions such that Si f~l S 2 = So, 
0\ fl 0 2 = Oo, X\ fi X 2 = X 0 , Qi C\ Q 2 = Qq. The composition of ese</i and 
eseq 2 sharing eseq 0 (written eseq 1 + e seq 0 eseq 2 ) is the ‘least’ sequent signature 
including ese</i and eseq 2 . More precisely, 

eseq 1 + e seq 0 eseq 2 = ((Si U S 2 , <1 U < 2 , Ox U O 2 ), X\ U X 2 , Qi U Q 2 ). 



Lemma (incl.composition): If eseqj for j £ {0,1,2} satisfy the conditions 

for composability, then ese</i ese^i + eseqo eseq 2 , eseq 2 ese^i + eS eq 0 eseq 2 . 
Also (by transitivity) eseq 0 eseq ± + e seq 0 eseq 2 . 

To avoid the need to make the shared part of a composition explicit we define 
a function that computes the shared part of a pair of sequent signatures and say 
that two sequent signatures are composable just if their shared part is faithfully 
included in both signatures. 

Definition: shared part. Let eseqj = (( Sj,<j , Oj),Xj,Ej, Qj) be sequent 
signatures for j £ {1,2}. Define shared(eseq 1 , eseq 2 ) by 

shared(eseq 1 , eseq 2 ) = (£q,Xq,Eq, Qo) 

where Sq = (So, < 0 , Oo), So = Si fl S 2 , <o=<i H < 2 , Oo = { 0 \ fl O 2 ) {(Sq x So), 
X 0 = AinA 2 rS 0 , Eo = {e £ (E1UE2) \ e is a A 0 -equation}, and Qo = QiC\Q2- 

Definition: composability and composition. eseq { is composable with 

eseq 2 (written ese^i ix eseq 2 ) if 
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1 . shared(eseq 1 , eseq 2 ) eseq 1 

2 . shared(eseq 1 , eseq 2 ) eseq 2 

If eseq l cc eseq 2 , then their composition eseq 1 +eseq 2 is defined by 

eseq 1 + eseq 2 cseq I ~\~ s hared(eseq 1 ,eseq 2 ) 

The two notions of composability and composition are related as follows. 

Lemma (composing): eseq 1 is composable with eseq 2 sharing eseq 0 if eseq 0 = 

shared(eseq 1 , eseq 2 ) and eseq 1 co eseq 2 . 

Lemma (ACI): Composition of sequent signatures is associative, commuta- 

tive and idempotent. (Note that since composition is partial it is necessary to 
check both definedness and equality.) 

(C) if eseq 1 1x1 eseq 2 then shared (eseq 1 , eseq 2 ) = shared(eseq 2 , eseq x ) and eseq 1 + 
eseq 2 = eseq 2 + eseq 1 

(A) if eseq 1 cxi eseq 2 and eseq 0 cxi ( eseq 1 + eseq 2 ), then eseq 0 cxi eseq 1 and 
(eseq 0 + eseq x ) cxi eseq 2 and eseq 0 + (eseq 1 + eseq 2 ) = (eseq 0 + eseq^) + eseq 2 . 
(I) eseq cxi eseq and eseq + eseq = eseq 

Definition: multi-composition. A special case of multiple composition is 
when there is a common shared part among several sequent signatures. We say 
that a set of sequent signatures, { eseq. t | 1 < i < fc}, is composable if there 
is some eseq 0 such that shared(eseq i , eseqj) = eseq 0 for 1 < * ^ j < k and 
eseq 0 > eseq.^ for 1 < i < k. In this case, the composition of {eseq t | 1 < i < k} 
is just the repeated binary composition: eseq ± + . . . + eseq k . By (ACI) the order 
in which the elements are listed does not matter. 

Definition: composing ERThs. Composability and composition lift natu- 
rally to ERThs. Let erthj = {eseq^Rj) for j £ { 1 , 2 } be ERThs. Then erth 1 is 
composable with erth 2 (written erth 1 cxi erth2) if eseq 1 cxi eseq 2 and the domains 
of Ri and R2 are disjoint. If erth\ cxi ert/12, then the composition of erth 1 with 
erth 2 is defined by 



erth 1 + erth 2 = (eseq 1 +eseq 2 , R± Li R2) 



2.3 Annotated Sequent Signatures and ERThs 

Informally an annotated sequent signature is a pair of sequent signatures, ( eseq a , 
eseq) together with an erasing mapping s : eseq a —> eseq which “removes an- 
notations”, extracting the logical content of annotated assertions. An annota- 
ted ERTh is a pair of ERThs ( erth a , erth) together with an erasing mapping 
£ : erth a —> erth such that the mapping on the underlying sequent signatures 
gives an annotated sequent signature and annotated rules map to derivation 
structures over erth. 
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An erasing map £ : eseq a — > eseq is a map of theories that maps each sort 
of eseq a (the annotated theory) to either a sort of eseq or to the empty list of 
sorts (erasing it in that case). The conditions for erasing maps are given below. 
Erasing maps are more general than the usual maps of theories (that map sorts to 
sorts). Categorically, an erasing map extends to a functor e : C eseq a — > C eseq that 
preserves products and inclusions between the “Lawvere theories” associated to 
the order-sorted theories eseq a and eseq [ 17 ]. 

Annotations are very useful for controlling the search for derivations, as will 
be illustrated in Section 4 . The mapping from annotated rules to derivation struc- 
tures gives for each derivation at the annotated level, a corresponding, possibly 
more detailed derivation in the original theory. 

Definition: annotated sequent signature. Let eseq a = (£ a , X a , E a , Q a ) 

and eseq = (S,X,E, Q ) be sequent signatures, where S a = ( S a ,< a , O a ) and 
E = ( S,< , O). Then e : eseq a —> eseq is an annotated sequent signature if e, 
with the action on sorts and terms lifted homomorphically to lists, satisfies the 
following: 

1 . £:S“->SU{[]} such that: 

— if Sq < a sf, then £(sg) < e(s f) 

— if q a £ Q a , then e(q a ) € Q 

— if s a £ S a and e(s a ) £ Q then s a £ Q a 

2 . £ : X a -)IU{[]} such that if x a £ Xg a and £(s“) = s, then e(x a ) £ X s 
and if e(s a ) = [ ], then e(x a ) = [ ] (i.e., the empty list of variables). 

3 . If o° : s a — >■ s“, and £(s a ) = s (not [ ]), then e(o a (xi, . . . ,£“)) is a Ti-term 
with sort s and free variables list £(a;f, . . . ,£“). £ is extended homomorphi- 
cally to eseq a - terms. 

4 . If tg £ [t^Eo then e(tg) £ [e(t?)] E 

If erth a = ( eseq a ,R a ) and erth = ( eseq,R ), then £ : erth a — > erth is an 
annotated ERTlr if £ : eseq a — > eseq is an annotated sequent signature and for 
l : sq a => sq a £ R a there is a derivation structure ds : e(sq a ) => e(sq a ) in the set 
of erth derivation structures (such derivation structures are described in detail 
in [ 20 ]). 

Now we consider the relation between annotated theories and composition. 

Lemma (compose. erase): Let £j : erth°j — > erthj be annotated ERThs for 

j £ { 1 , 2 }, where erthj = ( eseq°j,Rj ) and erthj = (eseqj, Rj). Suppose that 
erthi cxi erth 2, erth 1 ex erth2, and that £1, £2 agree on shared(eseqg, eseq%). 
Then we have annotated ERThs 

£1 fl £2 : shared{eseq 1 , eseq 2) — > shared(eseq 1 , eseq 2 ) 

£1 + £2 : eseql + eseq 2 —> eseq x + eseq 2 

where £\ fl£2 is the common action of the two mappings on the shared part, and 
£1 + £2 acts as £1 on elements coming from eseq 1 and as £2 on elements coming 
from eseq 2 (and as £1 fl £2 on the shared elements). 
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3 Nested Equational Reasoning Theories 

To represent proof systems with conditional inference rules and other subsidiary 
deductions that we may want to treat as side conditions, we represent the side 
conditions and their rules for verification by a sub-reasoning theory called the 
constraint theory. This gives rise to a nested ER.Th ( NERTh for short). Note that 
this nesting organization can be further applied to the constraint theory, giving 
rise to higher levels of nesting. For simplicity we consider only one level here, as 
all the features and the necessary machinery already appear at this stage. 

Definition: NERThs. A nested sequent signature is a tuple neseq = ( eseq , 
( eseq c , R c )) where eseq is a sequent signature with sequent sorts Q and ( eseq cl R c ) 
is an ERTh, with sequent sorts Q c such that eseq ex eseq c and the shared part 
has no sequent sorts, i.e., Q IT Q c = 0. 

A NERTh is a pair nerth = (neseq, R) where neseq is a nested sequent 
signature and, letting Sq = Sq eseq and Cn = Sq eseq , we have Rules : L — ► 
Cn* x Sq* x Sq. Thus, labelled rules of a nested reasoning structure have the form 
l : eh, sq => sq where cn are the side conditions or premisses to be established 
by deduction in the constraint theory. 

Definition: composition of NERThs. Let neseq j = (eseq j, (eseq ^ c , Rj, c )) 
be nested sequent signatures for j £ {1, 2}. neseq ± is composable with neseq 2 
(written neseq 0 x neseq ± ) if: 

1. eseq 1 x eseq 2 , eseq l c x eseq 2c , and eseqi+eseq 2 x eseq l c +eseq 2 c ; 

2. shared(eseq 1 , eseq 2 c ) has no sequent sorts, and shared(eseq 2 , eseq 1 c ) has no 
sequent sorts. 

Note that 2. together with the assumption that neseq is a nested sequent sig- 
nature implies that there are no sequent sorts in shared(eseq 1 +eseq 2 , 
eseq lc +eseq 2c ). 

If neseq 1 x neseq 2 , then the composition, neseq l +neseq 2 is defined by 
neseq 1 +neseq 2 = (eseq 1 +eseq 2 , erffti jC +erfft 2 , c ) 

Let nerth j = (neseq •, Rj) be NERThs for j £ {1,2}. nerthi is composable 
with nerth 2 (nerthi cxJ nerthi) if neseq 1 x neseq 2 and the domains of R\ and 
are disjoint. If nerthi x nerth 2 , then the composition is defined by 

nerthi+nerth 2 = (neseq 1 +neseq 2 , Ri U R 2 ) 



Definition: annotated NERThs. Annotated nested sequent signatures 

and NERThs are defined analogously to the non-nested case. Let nerth a = 
(neseq a ,R a ) and nerth = (neseq, R) where neseq a = (eseq a , neseq = 

(eseq, erth c ), erth “ = (eseg“, f?“), and erth c = (eseq c , R c ). Then e : nerth a — > 
nerth is an annotated nested reasoning theory if there are mappings e' and e c 
such that e' : eseq a — > eseq is an annotated sequent signature, e c : erf ft “ — > erth c 
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is an annotateecl reasoning theory, s' and e c agree on shared (es eq a , eseqf), and 
e = s' + s c is such that s : ( eseq a + eseq R a U i?“) — > ( eseq + eseq c , R U R c ) 
is an annotated reasoning theory. The final clause is needed to ensure that the 
annotated rules are mapped to derivations in nerth. In fact all that needs to be 
checked is that the rules in R a map to derivations, the rest follows by the dis- 
jointness of sequents and constraints and the requiement that s c is an annotation 
erasing map on erthf.. 



4 An Annotated Reasoning Theory for the NQTHM 
Waterfall 

We demonstrate the usefulness of the concepts just presented by applying them 
to a non trivial case study. We describe salient aspects of a specification of the 
NQTHM [5,6] waterfall as an annotated NERTh s-w : nerWat a — > nerWat. Such 
an annotated NERTh can be composed with annotated NERThs for the other 
sub-systems of NQTHM, to produce an annotated NERTh for the whole system. 
To provide some background, we first describe the features of the waterfall that 
are relevant to our specification. 



4.1 The NQTHM Waterfall 

When the user asks NQTHM to prove an assertion, this is first pre-processed. 
While the details of pre-processing are not relevant here, the important fact is 
that a list of clauses (to be considered conjunctively) is produced and is fed 
into the waterfall. This is shown in the upper part of Fig. 1. The waterfall then 
tries to prove all the resulting clauses by means of six main inference processes 
(simplification, elimination of destructors, cross-fertilization, generalization, eli- 
mination of irrelevance, and induction), called upon each clause in turn, until 
no clauses are left. Each process returns a list of zero or more clauses which 
replace the input clause; the provability of the input clause is implied by that 
of the returned ones (i.e., from a logical point of view these inference processes 
work backwards). 

The clauses manipulated by the waterfall are stored in two data structures: 
the Top and the Pool (shown in Fig. 1). The Top is a list of pairs where the first 
element is a clause and the second element is the (current) history of the clause. A 
history of a clause cIq is a list of triples (hidi, cl\, hnfofij , . . . , (hid n , cl n , hnfo n ), 
where each triple is called a history element, each hidi € {SI, ED, CF, GE, El} 
and is called history identifier (it identifies one of the first five main inference 
processes) each cl,, is a clause, and each hnfo i is a history info. Such a history 
expresses that, for 1 < i < n, clause cZj_i has been obtained from cZ,; by applying 
the process identified by hidi ; hnfo contains (process-dependent) details about 
such backward derivation. Histories are updated by the waterfall as the proof 
progresses. The Pool is a list, treated as a stack, of pairs whose first component 
is a clause and second component, called tag, is either TBP (To Be Proved) or 
BP (Being Proved). Just after the pre-processing, the Top is set to the list of 
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resulting clauses, each one equipped with the empty history. The Pool is instead 
set to the empty list. 




Fig. 1 . The NQTHM waterfall. 



When the Top is non-empty, its first clause and history are fed into the sim- 
plifier, which returns a list of clauses and a history info. If the returned list is 
equal to the singleton list having as unique element the input clause, then the 
simplifier has failed. Otherwise, it has succeeded, and the returned clauses are 
prepended to the Top, each paired with the history obtained by extending the 
input history with the history element consisting of SI, the input clause, and 
the history info returned by the simplifier. If the simplifier fails, the clause and 
history are fed into the elimination of destructors, cross-fertilization, generaliza- 
tion, and elimination of irrelevance processes (in this order), until one succeeds. 
As soon as one process applies successfully, the output clauses are added to the 
Top analogously to the case of the simplifier. If none of the above processes suc- 
ceeds, then the clause, paired with the tag TBP, is pushed onto the Pool (and 
the history is discarded), unless it is the empty clause (i.e., with no literals), in 
which case NQTHM stops with a failure. See the rightmost part of Fig. 1. 

When the Top is empty, if also the Pool is empty, then NQTHM terminates 
with success (the conjecture has been proved). Otherwise, the waterfall performs 
the following actions. If the clause at the head of the Pool is tagged by BP, then 
the clause and the tag are popped (that means that the clause has been proved; 
see below). When the clause at the head is tagged by TBP, another clause in the 
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Pool is searched, which subsumes it (i.e., the clause at the head is an instance of 
the subsuming one). In case one clause is found, then if it is tagged by BP, then 
NQTHM stops with a failure (because a loop in inventing inductions is likely to 
be taking place); if instead it is tagged by TBP, then the clause and tag at the 
head are just popped (because if the subsuming clause eventually gets proved, 
also the subsumed one is provable), and things go on as above (i.e., when the 
head clause is tagged by BP, it is popped, etc.). If no subsuming clause is found, 
the tag is changed to BP and the clause is fed into the induction process. In case 
the induction process cannot invent any induction, NQTHM stops with a failure. 
Otherwise the induction process produces a list of clauses which are prepended 
to the Top, each paired with the empty history. See the leftmost part of Fig. 1. 
In this second case, the clause and history at the head of the Top are fed into 
the simplifier, and things go on as previously explained. So, note that when the 
Top is empty and the head clause of the Pool is tagged by BP, this means that 
it has been really proved (as said above). 

We now explain in detail an important feature which we have omitted above 
for ease of understanding. The feature is motivated as follows: after inventing 
an induction scheme, it is heuristically convenient to prevent the rewriting of 
terms appearing in the induction hypothesis, and to force the rewriting of terms 
appearing in the induction conclusion (so that the hypothesis can be used to 
prove the conclusion). For this purpose, the induction process also produces two 
sets of terms as outputs (those appearing in the hypothesis and those in the 
conclusion), which are fed into the simplifier. Anyway, this special treatment of 
the terms is only performed the first time the simplifier is called upon a clause 
produced by induction. To achieve that, as soon as the simplifier fails upon 
a clause, its history is extended with a history element consisting of a (sixth) 
settle-down history identifier SD, the clause itself, and the empty history info 
(i.e., carrying no information). SD indicates that the clause has “settled down” 
with respect to the special treatment of terms appearing in induction hypothesis 
and conclusion. The clause and the new history are then fed into the simplifier. 
However, this does not happen if SD is already present in the history; in that 
case the clause and the history are just fed into the elimination of destructors 
process. The simplifier ignores the two input sets of terms if and only if SD is 
present in the input history. 

4.2 The NERTh nerWat 

Clauses are specified by the sequent signature esCl , which includes a sort Cl for 
clauses, as well as other sorts and operations to build clauses (e.g., specifying lite- 
rals and disjunction), which we do not describe here. The waterfall manipulates 
lists (logically, conjunctions) of clauses. These are specified by the sequent signa- 
ture esCls, with esCl esCls. esCls includes a sort Cls for conjunctions of clau- 
ses, with Cl < Cls, and two operations, T : — »• Cls and (_ A _) : Cls, Cls —> Cls, 
for the empty clause conjunction and to conjoin clause conjunctions. esCls con- 
tains equations stating that (_ A _) is commutative, associative, idempotent, and 
has T as identity. In other words, clause conjunctions are treated as sets. 
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Although not explicitly mentioned in the previous subsection, all the proving 
activity performed by NQTHM happens in the context of a database of axioms 
(of various kinds) with heuristic information (e.g., by which inference techniques 
a certain axiom should be used). From the logical point of view, this database 
represents a theory in which theorems can be proved. The sequent signature 
esTh. includes a sort Th for theories, as well as other sorts and operations to 
build theories (not presented here). 

esTh and esCls are composable, and their composition esThCl = esTh + 
esCls constitutes the base to build sequents formalizing the logical assertions 
manipulated by the waterfall, by means of the sequent signatures esWat o and 
esWat-i, with esThCl esWat 0 and esThCl esWat esWat 0 contains a 
sequent sort Sq w (i.e., Sq w € Q) and an operation (_ F-yv _) : Th, Cls —> Sq w . 
A sequent of the form (th hw cl) asserts that all the clauses in cl are pro- 
vable from axioms in th. esWat i contains sequent sorts Sq si , Sq ED , Sq CF , 
Sq GE , Sq E j, and Sq m , and operations (_ Fgi _—>■_) : Th, Cls, Cl —> Sq S i, 
(_ I~ed _ — > _) : Th, Cls, Cl — > Sq EE) , (_ Fcf _ -A _) : Th, Cls, Cl — > Sq GE , 
(_ Fqe _ — > _) : Th, Cls, Cl — > Sq GE , (_ Fei _ — > _) : Th, Cls, Cl — > Sq E i, and 
(_ Fin _->■-): Th, Cls, Cl —> Sq m . A sequent of the form (th Fgi cl —> cl) as- 
serts that the provability of the clauses in cl implies that of cl, where cl are 
obtained by simplification upon cl (in the context of theory th). The other kinds 
of sequents have analogous meaning (SI, ED, etc. identify the six main inference 
processes of NQTHM). 

The logical inferences performed by the waterfall are specified by suitable 
rules of inference over the nested sequent systems nesWato = (esWato, erSbsm) 
and nesWati = (esWati, mterth). mtrth is the empty ERTh (i.e., with no 
sorts, no operations, etc.). erSbsm is an ERTh including a sequent sort CVisbsm 
and an operation Subsumes(_, _) : Cl, Cl —> CVisbsm- A sequent of the form 
Subsumes(cl , cl ) asserts that clause cl subsumes clause cl , and erSbsm contains 
rules that specify subsumption (i.e., when Subsumes(cl, cl ) can be derived). The 
NERTh nerWat 0 consists of nesWat 0 and the following rules: 

Qed : => th F\y T , 

ElimSubsumed : {Subsumes(cl, cl ') } 

th F\y cl A cl => th F-yv cl A cl A cl' . 

Qed specifies that the empty conjunction of clauses is provable in any theory, 
and models the end of the proof when there no more clauses to prove in the 
Top or Pool. ElimSubsumed specifies that to prove a conjunction of clauses it 
is sufficient to prove all except one, provided this one is subsumed by another 
one in the conjunction; note the constraint (sequent of erSbsm) used as a side 
condition. This rule models the elimination of a sumsumed clause from the Pool. 
The NERTh nerWati consists of nesWati and six rules, one of which is 

th Fgi cl -A cl th F\y cl A cl 



CallSimp : 



th F\v cl A cl . 
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CallSimp specifies that to prove the conjunction of cl and cl it is sufficient 
to prove the conjunction of cl and cl, where the cl are the result of sim- 
plifying cl. Its backward application models the invocation of the simplifica- 
tion process upon a clause and the replacement of the clause with those re- 
sulting from simplification. The other five rules, CallEIDes, CallCrFer, CallGen, 
Call El Irr, and Calllnd, are analogous. nerWat o and nerWati are composable, and 
nerWat = nerWato + nerWat\. 



4.3 The NERTh nerWat 

The sequents and rules just presented do not specify anything about clause hi- 
stories, division between Top and Pool, and so on. That, in fact, constitutes 
non-logical (i.e., control) information, and is specified, along with its manipula- 
tion, by annotated sequents and rules in nerWat a . 

Histories are specified by the sequent signature esHst, with esCls esHst. 
esHst includes a sort Hid and seven constants SI, ED, CF, GE, El, IN, SD : — > Hid 
for history identifiers, as well as a sort Hinfo and operations for process-specific 
history information. It also includes a sort Helem and an operation [_, _, _] : 
Hid, Cl, Hinfo — > Helem for history elements; a sort Hst for histories, with 
Helem < Hst, and operations 0 : Hst and (_ ■ _) : Hst, Hst Hst for the 

empty history and to concatenate histories, plus equations stating that (_ • _) is 
associative and has identity 0 (i.e., histories are treated as lists). Clauses paired 
with histories are specified by a sort CIH and an operation (_/_) : Cl, Hst — >■ 
CIH\ their conjunctions are specified by a sort ClHs, with and CIH < ClHs, and 
operations T : — »• ClHs and (_ A _) : ClHs, ClHs —> ClHs, which is associative 
and has identity T (these conjunctions are thus treated as lists, as opposed to 
sets; in fact, the ordering of the elements of a list constitutes control informa- 
tion) . 

Pool tags are formalized by the sequent signature esTag , with esCls esTag , 
which includes a sort CIT for tagged clauses, and two operations TBP(_) : Cl — > 
CIT and BP(_) : Cl CIT to tag clauses. Conjunctions of tagged clauses are 
specified by a sort CITs, with CIT < CITs, and two operations T : — > CITs and 
(_ A _) : CITs, CITs — > CITs ; the latter is associative and has identity T. 

The sequent signature esDB contains a sort DB for databases of axioms 
(with heuristic information), as well as sorts and operations to build them. esDB, 
esHst, and esTag are composable, and esDBHst.Tag = esDB + esHst + esTag 
constitutes the base to build the annotated sequents manipulated by the wa- 
terfall. These are specified by sequent signatures esWat.Q and esWatf, with 
esDBHst.Tag esWat.Q and esDBHst.Tag esWat". esWat. g contains a se- 
quent sort and an operation (_ b w _; _) : DB , ClHs, CITs —f Sq An 

(annotated) sequent of the form (db bw clh; clt ) asserts that the clauses in 
clh. and clt are provable from the axioms in db. It also embeds control in- 
formation: clh. and clt constitute the Top and the Pool, with histories and 
tags; db contains heuristic information for the axioms. esWat. 1 contains sequent 
sorts Sq^i, SQcfi SQeii and Sq and operations (_ bsi 
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_) : DB, Cls , Hinfo , Cl, Hst Sq gj, (_ bgo : DB, Cls, Hinfo , Cl, 

Hst Sq EU , (_ (“cf -> - — > _) : DB, Cls, Hinfo, Cl, Hst SqQ F , (_ I-qe 

DB , Cls, Hinfo, Cl, Hst SqQ E , (_ Uei DB,Cls, 

Hinfo, Cl, Hst Sq E j, (_ biN _,_—>■_) : DB, Cls, Hinfo, Cl Sq An (an- 

notated) sequent of the form (db bgi cl, hnfo — > cl, hst) asserts that cl and hnfo 
are the result of the simplification process when called upon cl with history hst. 
The other kinds of (annotated) sequents have analogous meaning. 

The nested sequent signature nesWat^ consists of esWat^ and nested ERThs 
for various constraints (obtained by composition) whose details we omit here. 
The NERTlr nerWatg consists of nesWat J) and some (annotated) rules of infe- 
rence, including 

Qed a : =4- db b w T; T , 

ElimSubsumed“ : {Subsumes(cl, cl 1 )} 

db bw clh ; clt A TBP^ 7 ) A clt => 
db h w dft;TBP(cZ) Aclt ATBP(d') Aclt , 

which constitute the annotated counterparts of rules Qed and ElimSubsumed 
previously shown. Note that the subsuming clause cl' is required to be tagged 
by TBP. The elimination of a proved clause from the Pool is formalized by 



ElimProved 6 



db bw T ; clt 



db bw T ; BP(cZ) A clt 



which eliminates the clause at the head of the Pool if it is tagged by BP and 
the Top is empty (all these rules must be read backwards). Finally, the pushing 
of a clause from the Top onto the Pool, and the settling-down of a clause are 
specified by 



Push a : {NonEmpty(cl)} 

db bw clh; TBP(cZ) A clt 



db bw (cl /hst) A clh ; clt 



SettleDown 0 : {NoneSD(hst)} 

db bw (c?/([SD, cf, 0] • hst)) A clh ; clt ==> 
db bw (cl /hst) A clh; clt . 

The side conditions NonEmpty(cl) and NoneSD(hst) respectively require that 
cl is non-empty (i.e., it has at least one literal) and that hst does not contain 
the history identifier SD. 0 : — > Hinfo is the empty history information. 

The nested sequents signature nesWat ^ consists of esWat\ and a nested 
ERThs for various constraints whose details we omit here. The NERTh nerWatf 
consists of nesWat “ and some (annotated) rules of inference, including 

CallSimp a : j cl ^ c?| db bgi cl, hnfo cl, hst 

db bw atchstfcl, [SI, cl, hnfo ] ■ hst) A clh; clt => 
db bw (cl /hst) A clh; clt , 

which constitutes the annotated counterpart of the CallSimp. Read backwards, 
it specifies that the clause and history at the head of the Top are fed into the 
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simplifier and replaced by the clauses returned by it, all paired with the sui- 
tably extended history ( atchst(_,_ ) : Cls,Hst —> ClHs pairs each clause of a 
conjunction with a history, as specified by suitable equations) 1 . The side condi- 
tion requires that the simplifier does not fail. The rules Call El Des a , CallCrFer a , 
CallGerb, CallEllrr a , and Call I nd a are analogous. nerWat g and nerWat^ are com- 
posable, and nerWat a = nerWat^ + nerWat “. 



4.4 The Erasing Mapping 

The erasing mapping removes control information. Histories and Pool tags con- 
stitute control information. Therefore, we have, for instance, that = [ ], 

£w (ClHs) = £w (CITs) = Cls, and £w (cl/hst) = £w(TBP(d)) = cl. Since 
clauses tagged by BP are logically redundant, they constitute control infor- 
mation altogether, as specified by £ W (BP(d)) = [ ]. Databases are mapped 
to their underlying theories, e-w(DB) = Th. Annotated sequents are map- 
ped to their non-annotated counterparts, e.g., £w (5Vw) = Sq w , 

£-w(db byy clh ; clt ) = (£\y(d&) b\y £w (clh) A £w(clt)), £'w(Sqgi) = Sqgi, and 
£\jv(db bsi cl, hnfo -A cl, hst) = (£w (db) bsi cl — > cl). 

By applying the erasing mapping to the premisses, conclusion, and side con- 
dition (which gets erased altogether) of CallSimp 0 , we obtain an instance of 
CallSimp, thereby guaranteeing the existence of a derivation structure as required 
by the formal definition in Sect. 2.3. If we apply the erasing mapping to the pre- 
miss and to the conclusion of Push , we respectively obtain (th b-yv cl A cl A cl ) 

and (th byy cl A cl A cl ) (where db, clh, and clt are respectively mapped to th, 
- / - // 

cl , and cl ), which are the same sequent. Therefore, this rule maps to a trivial 
derivation structure (the side condition is just erased). In other words, it only 
modifies control information, leaving logical content unaltered; the same holds 

for ElimProved a and SettleDown“. 

5 Conclusions and Future Work 

In this paper we have formalized the composition and nesting of ERThs by 
means of faithful inclusions. We have also formalized the concept of annotated 
(N)ERThs by means of erasing mappings. Working in the special case of ERThs, 
the mappings we need are well understood notions of mappings of theories in 
a logic. Mappings for a very general notion of reasoning theory are developed 
in [20] . The mappings used in this paper provide the starting point for developing 

1 In the actual LISP code of NQTHM, the sets of terms appearing in the induction 
hypothesis and conclusion are passed as separate arguments to the simplifier. Howe- 
ver, we believe they can be more nicely and elegantly specified (and implemented as 
well) as history information produced by the induction process. We have therefore 
introduced a seventh history identifier for induction, and specified that induction 
returns a history information together with the clauses constituting the induction 
schema. 




Composing and Controlling Search in Reasoning Theories Using Mappings 215 



a more general theory of composition and annotation. There is also work in 
progress to generalize the notion of faithful inclusion to allow a richer collection 
of mappings to be used directly for composition. 

While annotations can be used to specify search information and its manipu- 
lation, in order to fully specify an OMRS we also need a formal way to specify 
the strategy of application of annotated rules. In [9] this is done by means of 
a tactical language, and a tactical language is also used in [3]. We are working 
towards the development of a general formalism to capture tactical languages 
and also more general mechanisms; given the close connections between reaso- 
ning theories and rewriting logic studied in [20], such formalisms may perhaps 
be fruitfully related to the internal strategy languages of rewriting logic [8]. 
What remains to give a full specification of an OMRS is its interaction level. A 
formalism for this has still to be developed. 
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Abstract. Most combination methods for decision procedures known 
from the area of automated deduction assign to a given “combined” 
input problem an exponential number of output pairs where the two 
components represent “pure” decision problems that can be decided with 
suitable component decision procedures. A mixed input decision problem 
evaluates to true iff there exists an output pair where both components 
evaluate to true. We provide a formal framework that explains why in 
many cases it is impossible to have a polynomial-time optimization of 
such a combination method, and why often combined decision problems 
are NP-hard, regardless of the complexity of the component problems. 
As a first application we consider Oppen’s combination method for algo- 
rithms that decide satisfiability of quantifier-free formulae in disjunctive 
normal form w.r.t. a first-order theory. A collection of first-order theo- 
ries is given where combined problems are always NP-hard and Oppen’s 
method does not have a polynomial-time optimization. As a second ex- 
ample, similar results are given for the problem of combining algorithms 
that decide whether a unification problem has a solution w.r.t. to a given 
equational theory. 



1 Introduction 

The problem of how to combine decision procedures and related algorithms is 
ubiquitous in many fields. In particular in the area of automated deduction 
many instances of this problem have been studied [N079, Op80, Sh84, CLS94, 
Ri96, TH96, Ki85, He86, Ti86, Ye87, Ni89, SS89, Bo93, BS96, DKR94, BS95a, 
KR98, Ke98]. Many of these combination methods (e.g., [Op80, BS96, DKR.94, 
BS95a, Ke98]) basically follow a similar strategy: a “mixed” input problem is 
first decomposed into a pair of two “pure” component problems. Before the two 
component problems are evaluated in two independent processes, some characte- 
ristic restriction is imposed on both components that guarantees that two given 
solutions of the component problems can safely be combined to a joint solution 
of the mixed input problem. This restriction is chosen in a non-deterministic 
way from a set of possible restrictions, which depends on the input problem. 

* This paper was first presented at the “Workshop on Complexity in Automated De- 
duction” organized by M. Hermann in Nancy (June 1999). 
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Unfortunately, in general (e.g. in [Op80,BS96]) the number of possible re- 
strictions for a given input problem is exponential in the size of the mixed input. 
Hence the combination algorithm introduces its own NP-complexity, regard- 
less of the complexity of the algorithms that are available for the components. 
Often it is simple to optimize the naive approach to a certain extent and to 
eliminate, after a simple inspection, some of the “possible” restrictions (cf. e.g. 
[N079,KR98]). The question arises in which cases a polynomial-time procedure 
can be found that leads to a polynomial number of restrictions that have to be 
considered. In this paper we show, generalizing previous results in [Sc97,Sc99], 
that in many cases such a polynomial optimization is impossible (unless P = 
NP) and the combined decision problems are NP-hard. 

The main contribution of the paper is a formal framework that helps to un- 
derstand why combined problems are often much more difficult to solve than 
their components, and why this leads to the situation described above. Basi- 
cally, we first look at a class of simple problems where it is easy to demonstrate 
that even the combination of two perfectly trivial component problems can be- 
come intractable. We then show how to lift impossibility results for polynomial 
combination and intractability results for a given class of combination problems 
to another class of combination problems. In order to illustrate this technique 
we apply it two well-known combination problems from automated deduction. 

The structure of the paper is the following. We start with some preliminaries 
in Section 2. In Section 3 we describe Oppen’s procedure for combining algo- 
rithms that decide satisfiability of quantifier-free formulae in disjunctive normal 
form w.r.t. a first-order theory T, and a method for combining algorithms that 
decide solvablity of unification problems w.r.t. a given equational theory E in- 
troduced in [BS96]. In Section 4 we introduce the abstract notion of a so-called 
protocol-based combination method and show that the two combination me- 
thods of Section 3 fall in this class. We also formalize the notion of a polynomial 
optimization of a given protocol-based combination method. In Section 5 we con- 
sider the problem of combining decision procedures for generalized satisfiability 
problems in the sense of Schaefer [Sh78] . Some trivial examples are given that 
demonstrate that the combination of decision problems can be NP-hard even if 
all instances of component problems are always solvable. We also introduce a 
specific protocol-based combination method and give simple examples where a 
polynomial optimization of this method is impossible unless P = NP. In Section 6 
we introduce the notion of a polynomial interpretation of one protocol-based 
combination method (source method) in another (target method) and show how 
impossibility results for polynomial optimization, as well as NP-hardness results 
for combined input problems, can be lifted from the source method to the target 
method. 

The following two sections are used to illustrate this formal framework. In 
Section 7 we introduce two abstract classes of first-order theories and show that 
there is no polynomial optimization of Oppen’s combination method if applied 
to a combination of theories of class 1 and 2 respectively. For both classes, a list 
of example theories is given. In Section 8 we introduce two classes of equational 
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theories and show that there is no polynomial optimization of the combination 
method of [BS96] if applied to a combination of equational theories of class 1 and 
2 respectively. We prove that each regular equational theory with a commutative 
(or associative) function symbol belongs to class 1, and each simple equational 
theory with a non-constant function symbol belongs to class 2. In the conclusion 
we discuss the relevance of all these observations. 

Some remarks on related works are in order. In the area of unification theory, 
some results are known which show that there cannot be a general polynomial- 
time algorithm for combining procedures that decide solvability of unification 
problems, unless P = NP: solvability of associative-commutative-idempotent 
(ACT-) unification problems with free constants is decidable in polynomial time 
and unifiability in the empty theory can be decided in linear time, but the pro- 
blem of deciding solvability of ACT-unification problems with additional free 
function symbols (called general ACT-unification) is NP-lrard (see [KN91]). The 
latter problem can be considered as a combination of ACT-unification with uni- 
fication in the empty theory. The same increase of complexity has been obser- 
ved when adding free function symbols to the theory ACUN of an associative- 
commutative and nilpotent function with unit, or to the theory ACUNh which 
contains in addition a homomorphic unary function symbol (see [GN96] for for- 
mal definitions). A corresponding impossibility result for the case of algorithms 
that compute minimal complete sets of unifiers modulo finitary equational theo- 
ries was obtained by M. Hermann and P.G. Kolaitis [HK96], by proving intrac- 
tability of the counting problem for general unification in the theory of abelian 
groups (AG-unification) . The results on combination of .E-unification algorithms 
given in Section 8 generalize previous results of the same author in [Sc97,Sc99]. 

2 Formal Preliminaries 

We assume that the reader is familiar with the basic notions of first-order pre- 
dicate calculus. For convenience, we recall some more specific concepts from the 
area of equational unification that are used below. 

An equational theory is given by a set E of identities s = t between terms 
s and t. The signature of E is the set £ of all function symbols occurring in 
E. Let Var denote a countably infinite set of variables. With =e we denote the 
least congruence relation on the term algebra T(E, Var) that is closed under 
substitution and contains E. An equational theory E is trivial iff x =e y holds 
for two distinct variables x , y. In the following, we consider only non-trivial 
equational theories. In this paper, two special types of equational theories will be 
considered. An equational theory E is regular if Var(s) = Va r(t) for all identities 
s = t of E. Here Var(f) denote the set of variables occurring in the term t. An 
equational theory E is simple if no term is equivalent modulo E to a proper 
subterm. For a detailed explanation of these notions and for an introduction to 
equational unification we refer to [BS94]. 

Remark 1. The following fact can easily be proved for regular equational theories 
E: Vs,f € T(£,X) : s =e t implies Var(s) = Var(t). 
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Given an equational theory E with signature E 1 an elementary E-unification 
problem is a finite conjunction of equations between 17-terms. In 17-unification 
problems with constants ( general 17-unification problems), these terms may con- 
tain additional free constant (function) symbols, i.e., symbols not contained in 
the signature E of E. 

A solution (or E -unifier) of the 17-unification problem p of the form si = ? 
ii A . . . A s n =■ t n is a substitution a such that cr(sj) =e c(ti) for i = 1, . . , , n. 
If there exists such a solution, then ip is called solvable or unifiable. 

3 Two Combination Problems for Decision Problems 

In this section we briefly introduce the two combination problems from the area 
of automated deduction that represent the source of motivation and the inten- 
ded application for the results on intractability of combined decision problems 
described later. 



3.1 Nelson-Oppen Type Combination Problems and Satisfiability of 
Quantifier-Free Formulae in Disjunctive Normalform 

The situation studied by Nelson and Oppen in [N079] is the following: Let 
Tj and T 2 denote two first-order theories, formulated in first-order languages 
over disjoint signatures E\ and E 2 respectively. Assume that for i = 1,2 we 
have an algorithm for deciding satisfiability of a given quantifier-free Aj-formula 
w.r.t. (i.e., in a model of) theory Tj. Nelson and Oppen show how to obtain 
an algorithm for deciding satisfiability of quantifier-free (E 1 U E 2 ) -formulae. 
A technical assumption is that both theories have to be stably-infinite, which 
means each quantifier-free Tj-formula that is satisfiable in some model of Tj is 
also satisfiable in an infinite model of Tj (* = 1,2). 

In the present paper we do not look at the problem treated by Nelson and 
Oppen, but to a variant studied in [Op80] where input-formulae are restricted 
to quantifier-free (E 1 U A^-formulae in disjunctive normalform. The reason is 
that we want to characterize situations where the pure component problems 
are polynomial-time solvable and the combination of both decision problems 
becomes NP-hard. Quite generally it is simple to encode Boolean satisfiability 
problems as satisfiability problems of quantifier-free formulae w.r.t. a given com- 
ponent theory Tj. Hence, when admitting arbitrary quantifier-free formulae as 
input, already the treatment of “pure” input formulae over a single component 
signature Ei is NP-hard. In contrast, satisfiability of quantifier-free formulae in 
disjunctive normal form (qf-dnf formulae) reduces to satisfiability of conjunctions 
of literals. In fact a qf-dnf formula p is satisfiable w.r.t. T\ U T 2 iff one disjunct of 
p is satisfiable w.r.t. T 1 UT 2 . Since satisfiability of clauses 1 w.r.t. pure component 
theories Tj is often polynomial-time decidable (see [Op80,NO79] for examples) 
we have here a situation where combination may in fact cause a complexity gap. 

1 With a clause we mean a conjunction of atomic formulae. 
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In the sequel, a {Si U I7 2 )-clause is said to be in decomposed form if it has 
the form pi A tp 2 where the subclauses tp\ and tp 2 are built over the signatures 
S i and S 2 respectively. Given a clause ip in the mixed signature Si U S 2 , which 
is to be tested for satisfiability w.r.t. T\ U T 2 , Oppen discusses the following 
non-deterministic procedure. 

Oppen’s Procedure. In the first step we use “variable abstraction 2 ” to 
transform the input clause ip into a clause in decomposed form ipi A p >2 such 
that ip and ip\ A ip 2 are equivalent in terms of satisfiability w.r.t. Ti U T 2 . In 
the second step we non-deterministically choose a partition II = {Pi,...,Pk} 
of the variables shared by ipi and y> 2 . For each of the classes Pi, let ay £ Pi be 
a representative of this class, and let X n := {aq, . . . , aq} be the set of these 
representatives. The substitution that replaces, for all* = 1, ... , k, each element 
of Pi by its representative aq is denoted by an- In the third step we test if the 
formulae an{<Pi) A /\ X jt y ex n x ^ V are satisfiable in Ti ( i = 1, 2), in the positive 
case we return “satisfiable.” 

Proposition 1. ([Op80]) Assume that Ti and T 2 have disjoint signatures and 
both are stably infinite. The input clause ip is satisfiable w.r.t. Ti U T 2 iff there 
exists a choice for partition IT where the algorithm returns “satisfiable” . 

The number of partitions of a set of n elements is known as the n-th Bell 
number and denoted B{n). This function grows faster than 2” or (n/2)!. Hence 
the practical worst-case behaviour of Oppen’s procedure is exponential. The 
results of this paper will show that there are various component theories Ti and 
T 2 where it is impossible to obtain a polynomial-time combination algorithm, in 
a sense to be made precise. 



3.2 Combination of E-Unification Algorithms 

In this section we give a brief description of the combination procedure for unifi- 
cation algorithms for equational theories over disjoint signatures given in [BS96] . 
Before we can describe the algorithm, we have to introduce a generalization of 
E-unification problems with constants. Let X C Var be a finite set of variables, 
let 77 be a partition of X. With [x\n we denote the equivalence class oi x £ X 
with respect to 77. A partial ordering “<” on X is 77 -congruent if x < y implies 
x' < y' for all x, x' , y, y' £ X such that [x]n = [x']n and [y\n = W]n- A 77 -total 
ordering on A is a 77-congruent ordering “<” such that [x]n 7 ^ [y\n implies that 
either x < y or y < x, for all x,y £ X. Let M be a set. A function F : X —> M 
is 77 -congruent if F(x) = F{x') for all x,x' £ X such that [x\n = [x'\n- In 
the sequel we assume that Var is enumerated in a fixed order. With rep n {x) we 
denote the minimal representative of \x]n w.r.t. this enumeration order. 

Definition 1. Let Ei be an equational theory with signature Si, let V 2 be a 
second signature. Let ipi be an elementary Ei -unification problem and let X be 
a finite set of variables with Va r{pi) C X. A linear constant restriction for X is 

See, e.g., [BS96] for a description of this well-known technique. 
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a triple L = (77, Lab, <l) where II is a partition of X, <l is a 77 -total partial 
ordering on X and Lab : X —>■ {Si,S 2 } is 77 -congruent. If Lab(x) = Si (resp. 
Lab(x) = S 2 ) we say that x receives a domestic (resp. alien ) label, or simply 
that x is a domestic (alien) variable. The pair (p i, L) is called an E\ -unification 
problem with linear constant restriction. A Si-substitution a solves (pi,L) if a 
solves the E\ -unification problem pi and if the following conditions are satisfied: 

1. For all x € X we have a(x) = cr(rep n (x)) , 

2. <7 (y) = rep n (y) for each alien variable y € X, 

3. for all x,y £ X: if y is alien, x is domestic, and if a(y) occurs in a(x), then 

y <l x. 

Let E\ and E 2 be two consistent equational theories over disjoint signatures 
Si and S 2 respectively. As in the case of satisfiability problems, an elementary 
[Ei UT^j-unification problem p' is in decomposed form if p' has the form pif\p 2 
where the “pure” subproblems pi and p 2 are built over the signatures Si and S 2 
respectively. Suppose that we want to decide solvability of an elementary (75i U 
Tf- 2 j-unification problem p. The following Decomposition Algorithm , described 
in more detail in [BS96], reduces p non-deterministically to a finite number of 
output pairs. Each component of an output pair represents an (Ei- resp. E 2 -) 
unification problem with linear constant restriction. 

Decomposition Algorithm. In the first, step, the input problem p is trans- 
formed via variable abstraction into an elementary (E\ UT^j-unification problem 
in the decomposed form pi A p 2 such that ip is solvable iff pi A p 2 is solvable. 
Let X := Var(pi A p 2 ). In the (non-deterministic) second step, a linear constant 
restriction L = (77, Lab, <l) for X is chosen. The output pair determined by L 
is {(pi,L),(p 2 ,L)). 

Proposition 2. ([BS96]) Assume that E\ and E 2 have disjoint signatures. The 
input problem, p, has a solution iff there exists an output pair of the Decomposi- 
tion Algorithm, ((pi,L), (p 2 ,L)), such that, both the Ei-unification problem with 
linear constant restriction {pi,L) has a solution and the E 2 -unification problem 
with linear constant restriction (p 2 ,L) has a solution. 

Note that variables with label Si are domestic in {pi, L) but alien in (p 2 , L), 
the same holds, mutatis mutandis, for variables with label S 2 . Obviously, if n 
denotes the number of variables of the the problem pi A p 2 reached after step 
1, the number of output pairs of the Decomposition Algorithm even exceeds 
the n-th Bell number B (n). Hence the worst-case behaviour of the algorithm is 
exponential. The results of this paper will show, in a sense to be made precise, 
that in many cases is is impossible to obtain a polynomial-time combination 
method. 

4 Combined Decision Problems and Protocol-Based 
Combination of Decision Procedures 

In this section we show that Oppen’s Procedure and the Decomposition Algo- 
rithm for combined 75-unification algorithms can be considered as two special 
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instances of a general and abstract notion of combination algorithm. We start 
with some basic and well-known concepts. 

Definition 2. A decision problem is a pair V = (V, vaJ) where V is a set and 
val : V —> {0, 1} is a mapping. The elements ofV are called the instances of D. 

We assume that each instance ip £ V is of a specific syntactic size. The 
complexity of V is the complexity of deciding, given an instance ip of T>, if 
va l(<p) = 1. The following examples show how the problems that are treated 
in Oppen’s Procedure resp. in the Decomposition Algorithm can be described 
as decision procedures in the above sense. 

Example 1. Let T be a theory (set of sentences) over a first-order language C, 
let Vt denote the set of quantifier-free formulae in disjunctive normal form of C. 
For p £ Vt let vary ( p) = 1 iff p is satisfiable in some model of T. The decision 
problem (Vt, vsIt) is called the qf-dnf satisfiability problem for T. 

Example 2. Let E be an equational theory, let Ve denote the set of all elemen- 
tary .E-unification problems. For p £ Ve let varE(p) = 1 iff p is unifiable. The 
decision problem (Ve, vsIe) is called the E -unifiability problem. 

Decision problems often come in natural classes. Moreover, given such a class 
C there is often a natural notion of combining two decision problems in C : given 
two decision problems T > i and V >2 in C, there is a unique decision problem in C 
that can be considered as “the” natural combination of T>\ and V 2 - 

Example 3. [Ex. 1 cont.] Let C q f_ ( j n f denote the class of all qf-dnf satisfiability 
problems for T, where T denotes any first-order theory. If denotes the qf-dnf 
satisfiability problem for T), for i = 1,2 and first-order theories Tj , T 2 , then the 
natural combination is the qf-dnf satisfiability problem for the union Tj U T 2 . 

Example 4 ■ [Ex. 2 cont.] Let C un if denote the class of all E-unifiability problems, 
for arbitrary equational theories E. If V>e, denotes the Ej-unifi ability problem, 
for *=1,2 and equational theories E\,E 2 , then the natural combination is the 
problem T>e 1 ue 2 of (E\ U E 2 )-unifiability. 

For the rest of the section we fix a class C of decision problems. We assume 
that there exists a natural notion of combining problems in C. We write T> 1 ©X^ 
for the combination of the problems T> \ and V >2 of the class C, and T> 1 and 
V 2 will be called the plain component problems of V\ © V 2 . For simplicity we 
generally assume that the instances of a combined problem T>\ ®T >2 have the form 
Pi A P2 where Pi is an instance of T>i for i = 1,2. Recall that this assumption is 
justified in the case of Oppen’s Procedure and in the case of the Decomposition 
Algorithm for combined E-unification algorithms. In both cases the first step is 
used to reach this form of input. From another perspective, which is used below, 
this straightforward and deterministic step may be considered as a kind of pre- 
processing that is not part of the the algorithm. We write V\ © V 2 for the set of 
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all conjunctions of the form tpi A ip 2 where ipi is an instance of T>i for i = 1,2. 
Hence V 1 ® V 2 has the form ( V\ ® V \ , val) for suitable val 

Our next aim is to study “combination methods”, i.e. , methods for deciding 
combined decision problems by reduction to pure subproblems that can be deci- 
ded by suitable component decision procedures. We do not require that such a 
method applies to arbitrary combinations of problems in C, but to some subclass 
of admissible combinations. In the sequel we assume that such a subclass is fi- 
xed (later, when studying concrete combination methods, the class of admissible 
combination problems will be precisely specified.) 

Definition 3. A protocol-based combination method (for C and C a dm) is given 
by a mapping that assigns to each admissible combination T>i ® V 2 = {V\ ® 
V 2 ,va I) of plain component problems V\ = (' V\,val \ ) and V 2 = (' P 2 ,val 2 ) a 
quadruple (S, Alg, vail, val 2 ) where 

1. S is a set, called the protocol. The elements of S are called scenarios, 

2. Alg ■.Ti®V 2 ^2 s assigns to each instance ipi A p 2 ofT>\ ®V 2 a finite set 
Alg(tp 1 A ip 2 ) C S called the set of output scenarios, 

3. vail : V\ x S — > {0, 1} and val s 2 : V 2 x S — > {0, 1} define decision problems of 
the form V f = ( Vi x S, vail ) and V | = (fP 2 x S, val 2 ) respectively such that 
the following condition holds: for each instance ipi A ip 2 ofD 1 ® T> 2 we have 
val{ipi A p 2 ) = 1 iff there exists an output scenario S £ Alg(ipi A ip 2 ) such 
that vall(g>i, S) = 1 = val s 2 (ip 2 , S). 

Alg will be called a combination algorithm for T>\ ® T> 2 , the condition given in 
item 3 will be called correctness of Alg. Obviously, correctness of the combination 
algorithm ensures that the combined decision problem T>i ® T> 2 can be reduced 
to T>f and T> 2 . Given an instance g>\ A g> 2 of T> 1 ® V 2 we may inspect each of 
the finitely many output scenarios, and to check if for one scenario S we have 
vall(cpi , S) = 1= val s 2 {p 2 , S). The situation may be summarized in the following 
picture. 



(PjA^ 




Alg 



val^Acp^ = 1 

iff 
3 S: 

val S j(cpj,S) = 1 
val s 2 (<p 2 ,S) = 1 



The following examples show that the combination methods introduced in Sec- 
tions 3.1 and 3.2 are special instances of protocol-based combination algorithms 



Example 5. [Ex. 3 cont.] As in Example 3, let C q f-d n f denote the class of all 
qf-dnf satisfiability problems for theories T. The combination Dr, ® T>t 2 of the 
problems V and Vt 2 of C q f-d n f is admissible iff the theories Xj and T 2 are 
stably-infinite and have disjoint signatures. Oppen’s Procedure can be described 
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as a protocol-based combination method for C q f_dnf hr the following way. It 
assigns to an admissible combination 27^ ®'Dt 2 of the plain component problems 
X?Ti and T>t 2 of the form {Vt x , vai t x ) and ( Vt 2 > va 1 t 2 ) respectively the quadruple 
( S , Alg, val t , valy 2 ) where 

1. S is the set of all partitions 77 of finite subsets of Var, 

2. Alg(ip\ A 1P2) is the set of all partitions 77 of the set of shared variables of 
ipi and <fi 2 , for each <pi A g >2 G Vt x © "Pt 2 , 

3. for 77 G S we have val s T .{pi,II) = 1 iff there exists a 7" -model A4 and a 
variable assignment v such that A4, v |= ipi and v(x) = v{y) iff x =n y , for 
all x, y G U 77. 

Proposition 1 expresses correctness of Alg for admissible combinations. In the 
sequel, if val s T .{g>i,n) = 1 we simply say that g>i is satisfiable w.r.t. Ti under 
partition 77. 



Example 6. [Ex. 4 cont.] As in Example 4, let C unl / denote the class of all 77- 
unifiability problems. The combination D El © E>e 2 of the problems D El and 
T>e 2 of C un if is admissible iff the equational theories E\ and E 2 have dis- 
joint signatures. The above Decomposition Algorithm can be described as a 
protocol-based combination method for C un i f in the following way. It assigns to 
an admissible combination T>e 1 © 27 e 2 of the plain component problems T>e 1 
and T>e 2 of the form (' PE 1 ,valE 1 ) and (Ve 2 , valE 2 ) respectively the quadruple 
(S, Alg, val s El , val s E2 ) where 

1. S is the set of generalized linear constant restrictions L on a finite subset of 
Var, 

2. Alg((p 1 A (P 2 ) is the set of all generalized linear constant restrictions L of the 
set of variables occurring in g>\ A for each ipi A (fi 2 € Ve^ © 2 7 e 2 , 

3. for L £ S we have val s E .{g>i, 7) = 1 iff the 77,; -unification problem with 
generalized linear constant restriction (</?,;, 7) is solvable. 

Proposition 2 expresses correctness of Alg for admissible combinations. If (ipi, L) 
is solvable, we also say that ipi is solvable under linear constant restriction L. 



Remark 2. In Example 5 one remarkable phenomenon arises if the input problem 
(pi A <^2 contains an equation or a disequation a between variables. A formula a of 
this form can be attached to both sides ip 1 and p 2 , and this choice may affect the 
cardinality of the set of shared variables. To consider an extreme case, assume 
that (fi 2 is a conjunction of equations and disequations between variables. Assume 
that we have n shared variables. When treating <p 2 as a part of the subformula 
for theory Tj, the set of shared variables becomes empty and Oppen’s Procedure 
becomes deterministic. There are variants of the Decomposition Algorithm for 
combined 77-unification problems where the choice of a linear constant restriction 
is restricted to the set of shared variables. In this situation the same phenomenon 



occurs. 
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Due to the large number of output pairs of the two combination algorithms 
described above, optimization techniques are important. For a systematic study 
of optimization, the following formal notion is useful. 

Definition 4. Let C,C a dm and V i ® 2 ? 2 as in Definition 3. A (polynomial) op- 
timization of Alg for V\ ® V -2 is an algorithm Alg opt that computes for each 
instance ip\ A P 2 of V\ ® V 2 (in polynomial time) a set Alg opt (ipi A P 2 ) C 
Alg( (fix A (P2) such that val(<pi A P2) = 1 iff there exists some S € Alg opt (<pi A P2) 
where valffpi, S) = 1 = val^^^S). 

The above notion of optimization, which refers to a specific combined problem 
D[ ® I? 2 , may be distinguished from a “general” optimization technique for a 
given protocol-based combination method that applies to an arbitrary combined 
problem. The Nelson-Oppen combination method described in [N079], if applied 
to combined T-clause satisfiability problems, is a general optimization technique 
for Oppen’s Procedure in this sense. Kepser and Richts [KR98] describe opti- 
mized versions (in the sense of Definition 4) of the Decomposition Algorithm 
for combined .E-unification algorithms, both on the general level and for specific 
combined problems. 



5 Combination of Generalized Satisfiability Problems 

In this section we look at a well-known class of decision problems, namely at 
generalized satisfiability problems as introduced by Schaefer [Sh78] . We shall see 
that there is a natural notion of combining generalized satisfiability problems. 
Simple examples are given that demonstrate that combined problems can be NP- 
hard even if the component problems are decidable in zero time. In the sequel 
we assume that we are given a fixed set of Boolean variables Vaibooi- A truth 
value assignment is a partial mapping v from Vaibooi to {0, 1}. 

Definition 5. A logical relation of rank k > 1 is given by a subset R of { 0, l} fe . 
Let 1Z = (i?i, . . . , Rm} be a finite set of logical relations, Ri being of rank hi. 
An 1Z - formula is a finite conjunction of clauses of the form r*(p ) where r.i is a 
relation symbol for some Ri G 1Z and p = (pi , . . . ,Pkf) is a sequence of (not 
necessarily distinct) Boolean variables. A truth value assignment v satisfies a 
clause ri{p) iffv is defined for all variables inp and if (v(p 1), . . . , vipkO) G Ri- A 
truth value assignment v satisfies a conjunction ip of clauses (we write v(p) = 1) 
iff it satisfies each clause. The ^.-satisfiability problem is the problem of deciding 
if a given 1Z -formula is satisfiable. 

The size of an 7?.-formula ip is the total number of occurrences of Boolean 
variables in ip. Obviously each ^.-satisfiability problem can be described as a 
decision problem V-n = (V, vaL) in the sense of Definition 2, defining V as the set 
of all TZ- formula and letting val(ip) = 1 iff there exists a truth value assignment 
v that satisfies p. The class C gen - sa t of all decision problems of the form D-ji, 
for arbitrary finite sets 1Z of logical relations, is called the class of generalized 
satisfiability problems. It was introduced by Schaefer [Slr78] for studying the 
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complexity of Boolean satisfiability problems in a uniform way. well-known NP- 
complete satisfiability problems like 3SAT, l-in-3 3SAT , NOT-ALL-EQUAL 
3SAT, and l-in-3 problems over positive literals (cf. [GJ79]) can be formalized 
as generalized satisfiability problems. 

Example 7. Let -R=i( 3) = {(1, 0, 0), (0, 1, 0), (0, 0, 1)} and let TZ=\( 3 ) denote the 
singleton set {i?=i(3)}. -R=i(3) may be called the exactly- l-in-3 relation over posi- 
tive literals, and an IZ-i (3) -formula is just an exactly- l-in-3 problem over positive 
literals 3 . The 7£ =1 (3)-satisfiability problem is well-known to be NP-complete (cf. 
[GJ79]). 

Similarly as for the classes C q f-d n f and C un if, also for the class C gen - sa t of ge- 
neralized satisfiability problems there is a natural notion of combining two deci- 
sion problems. Let TZ\ and TZ 2 be two finite sets of logical relations. If T>m (resp. 
T>n 2 ) denotes the 7^i-satisfiability (resp. ^-satisfiability) problem, then the na- 
tural combination P Rl ©D^ 2 is the problem 'D KlU - R2 of (TZi U7?-2)-satisfiability. 
Our interest on combination of decision problems for fixed sets of logical rela- 
tions relies on the fact that it is simple to show that often combined problems 
are NP-hard even for perfectly trivial plain component problems. In the sequel, 
we say that a problem T> = (' P , val) is an extension of V = (V', val!) iff V C V 
and if val and val' coincide on V' . 

Example 8. As in Example 7, let TZ-i^) = {I? = i(3)} describe the class of exactly- 
l-in-3 problems over positive literals. Let 7?> i( 3 ) := {0, l} 3 \ {(0,0,0)} denote 
the at-least- l-in-3 relation and let 7?< 1(3 ) := -R=i( 3) U {(0,0,0)} denote the at- 
most-l-in-3 relation over positive literals. Obviously, given a finite conjunction 
of clauses, each with three positive literals, there is always a truth value as- 
signment that evaluates at least (at most) one literal of each clause to 1, na- 
mely the trivial assignment that maps each atom to 1 (resp. 0). Hence both 
the {/?>! ( 3 ) ^satisfiability problem and the {-R<i(3) ^satisfiability problem are 
trivial. However, the combination of both problems extends 7£ =1 (3)-satisfiability 
and is NP-complete. 

Modifying the above example, we see that this situation is by no means excep- 
tional. 

Lemma 1. For each IZ-satisftability decision problem there exist two finite sets 
of logical relations TZ\ and IZ 2 such, that 

1. the TZi- satisfiability problem is trivial in the sense that each instance of an 
TZi -satisfiability problem is always solvable (i = 1,2}, and 

2. the combination of the TZi -satisfiability problem and the TZ 2 ~satisfiability pro- 
blem is an extension of the TZ-satisfiability problem. 

Proof. Given 7 Z, let 

TZ\ := {R U {(0) fe } | R € TZ has arity k} 

7^2 := {R U {(l) fc } | R € TZ has arity k} 

3 Usually these problems are just called positive l-in-3 problems. 
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where (0) fc denotes a fc-tuple (0, ..., 0) and similarly for (l) fc . Obviously the 
7?.i-satisfiability problem is trivial: each instance <p\ is satisfiable, by mapping 
each Boolean variable to 0. Similarly ^-satisfiability is trivial. Since for R £ R 
always R= (R U {(0) fc }) fl (R U {(l) fc }) the combination of ^-satisfiability and 
■^-satisfiability is an extension of 7\l-satisfiability. □ 

Summing up, for the class of generalized satisfiability problems we have seen 
that combined decision problems are often NP-hard even for trivial plain compo- 
nent problems. Our next aim is to show that this carries over to the other classes 
of decision problems that we mentioned above. As a first step, we show that com- 
bined generalized satisfiability problems can be solved by a simple protocol-based 
combination algorithm. The idea is to use truth value assignments as scenarios. 

Definition 6. Given T>jZi = (V-\ , vaf ) and Vti 2 = {V2, vahj) and their combi- 
nation T>tz 1 ® T>tz 2 = (V\ © V2 , vaJ) , let 

1. S denote the set of all truth value assignments, 

2. Alg assign to each instance ip 1 A P2 ofV 7^ © V 'k 2 the finite set of all truth 
value assignments that are defined exactly on the Boolean variables occurring 
in tpi A (fi2, 

3. vadl{ipi,v) = 1 iff v satisfies ipi (i = 1,2). 

Assume that for some ^A^ 2 £ Pi $ V2 we have val(p 1 A pf) = 1- By 
definition of val there exists a truth value assignment is that satisfies all the 
clauses in p\ A tp2- This implies that there exists a scenario 1/ G Alg{ip 1 A (^2) 
such that n'(ipi) = 1/ (ipf) = 1, which means that vali(<pi, v') = va ^(^2, v') = 1. 
Since all implications also hold in the converse direction this shows that Alg 
is a correct combination algorithm, which proves that Definition 6 describes a 
protocol-based combination method. 

Lemma 2. Assume that P NP. Let R> i( 3 ) (resp. R<i(3)J denote the at-least- 
l-in-3 (resp. at-most-l-in-3^ relation over positive literals as defined in Exam- 
ple 8. For the combination method given above, there exists no polynomial opti- 
mization of Alg for the combination of the {-^>1(3 )} -satisfiability problem with 
the {^<1(3 )} -satisfiability problem. 

Proof. Given an exactly-l-in-3 problem over positive literals, ip, and a truth value 
assignment is on var(<p) we may check in polynomial-time if is solves ip. Hence 
a polynomial optimization of Alg would yield a polynomial-time algorithm for 
deciding solvability of R- 1(3) -satisfiability, a contradiction. □ 

Lemma 3. Assume that. P NP. Let R be a finite set of logical relations such 
that R- satisfiability problem is NP-hard, let R\ and R2 be as in the proof of 
Lemma 1. For the combination method given above, there exists no polynomial 
optimization of Alg for the R- satisfiability problem. 

Proof. Similar as the previous proof. □ 
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6 Polynomial Interpretation of Combination Algorithms 

In this section we fix a situation where we have two protocol-based combination 
methods, for classes C and C respectively, and where for both methods admissible 
combined decision problems V and V are fixed. We establish a relationship 
between the two combination algorithms Alg and Alg and the sets of scenarios 
computed by the algorithms that may be used 

1. to lift complexity bounds for P to P' , and 

2. to obtain impossibility results for polynomial optimization of Alg on the 
basis of similar results for Alg. 

In the following section this observation will be used to prove complexity bounds 
for combined qf-dnf satisfiability problems (resp. for combined .E-unification de- 
cision problems) and impossibility results for polynomial optimization of Op- 
pen’s Procedure (resp. the Decomposition Algorithm). 

To fix notation, let C be a class of decision problems with a fixed protocol- 
based combination method for a subclass of admissible combinations. Let P i ® 
P 2 = (Pi ® P 2 ,val) be the admissible combination of the plain component 
problems V\ = (Pi, va.li) and P- 2 = (P 2 , va 1 2 ) of C. We assume that application 
of the combination method to V 1 ® P 2 yields ( S , Alg , val va.l 2 ). 

Let C denote a second class of decision problems with another protocol-based 
combination method for a subclass of admissible combinations. Let P[ ® P 2 = 
(P( ® P 2 , val') be the admissible combination of the plain component problems 
T>'i = (P( , val) ) and P' 2 = (P 2 , vaf 2 ) of C . We assume that application of the 
combination method to P( ® P 2 yields (S ' , Alg , val val s 2 ). 

Definition 7. In the context described above, a polynomial interpretation of 
Alg in Alg is given by three polynomial-time computable functions functions 

tri : Pi — t P[ : ipi 1 
tr 2 : P 2 — > P' 2 : <p 2 ^ <p * 2 2 
(3 : S' -*S 

such that the following conditions hold for each <pi A g> 2 € Pi ® P 2 : 

1. for each scenario S € Alg(<pi A ip 2 ): if val{(tpi, S) = val 2 (ip 2 , S) = 1 then 
there exists S' € Alg' (y^ ri Aip^ 2 ) such that val® / (yJff 1 , S') = val^ ( l p t 2 2 , S') = 
1, 

2. for each S' £ Alg' (ip[ ri A y^ 2 )-' if va^ , (y^ ri , S') = val s 2 (gfff 2 , S') = 1, then 
fl(S') £ Alg(ipi A ip 2 ) and val{(ipi, f3(S')) = val 2 (<p 2 , /3(S')) = 1. 

Theorem 1. In the context given above, assume there exists a polynomial in- 
terpretation of Alg in Alg . 

1. If Vi ® V- 2 is NP-hard, then also P( ® V' 2 is NP-hard. In a similar way, 
each lower complexity bound for V 1 ® V- 2 beyond NP-hardness carries over 

to P'i ® P ' 2 . 
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2. If there is no polynomial optimization of Alg for V i ® V 2 , then there is no 
polynomial optimization of Alg? for T>[ © V' 2 . 

Proof. Assume there exists a polynomial interpretation as described above. We 
first show that for each A tp 2 G^i© V 2 we have val(g>i A P 2 ) = 1 iff val' (ip^ 1 A 
p l 2 ') = 1. Since tri and tr 2 are polynomial-time this shows that there exists a 
polynomial transformation of D 1 © T> 2 to T>[ © V 2 which proves the hrst part of 
the theorem. 

Assume that val(<p 1 A 1 ^ 2 ) = 1- By correctness of Alg there exists a scenario 
S G Alg( ipi A P 2 ) such that 

vall(p i,5) = val 2 (p 2 ,S) = 1. 

Condition 1 of Def. 7 ensures that there exists S' G Alg' (gfff 1 A p&f 2 ) such that 

val{\p?\S') = val s 2 '(p t p,S') = 1. 

Now correctness of Alg r shows that va/(<^* ri A pzff 1 ) = 1. 

Conversely assume that val' {grff 1 A (p 2 ) = 1. Correctness of Alg ' shows that 
there exists a scenario S' G Alpf {gff 1 A p^ 2 ) such that 

vair(<p?\S') = val°\^,S') = l. 



By Condition 2, 

vall(<pi,(3(S')) = val 2 ((p 2 ,P{S')) = 1 

and (3(S') G Alg((pi A <^ 2 )- Correctness of Alg shows that val{p 1 A p 2 ) = 1- 
To prove the second statement, assume that there exists a polynomial opti- 
mization of Alg' opt . For an instance pi A ip 2 of V define 

Alg opt (Vi A <p 2 ) := mS') | 5' G AV opt « A &)}. 

Our assumptions show that Alg opt is polynomial-time computable. Assume that 
val(ip 1 A tp 2 ) = 1- As above it follows that val'(ipi A = 1. Hence there 
exists an S' G Al^ opt (ip t i A tp'ff) such that vail' (ip'f 1 , S') = val s 2 (gfff 2 , S') = 1. 
But then (3(S') G Alg(ip 1 A P 2 ) and vall(<pi, (3(S')) = val 2 (<p 2 , (3(S')) = 1. This 
shows that Alg opt is a polynomial optimization of Alg. □ 

7 Intractable Combined T-Satisfiability Problems 

As a hrst illustration of the techniques of Section 6 we now characterize first- 
order theories Ti and T 2 where satisfiability of qf-dnf formulae w.r.t. Ti U T 2 
is NP-lrard, regardless of the complexity of satisfiability w.r.t. the component 
theories Ti, and where we cannot obtain a polynomial optimization of Oppen’s 
Procedure. The idea is to use two generalized satisfiability problems whose com- 
bination is NP-hard and where the combination algorithm described in Defini- 
tion 6 does not have a polynomial optimization. By Theorem 1 it then suffices 
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to give a polynomial interpretation between the combination algorithms of the 
two combination problems. There is an arbitrariness in the selection of the ge- 
neralized satisfiability problems. We shall use -satisfiability and 7^< 1 ( 3 )- 

satisfiability, but many other combinations could be used as well. Let us fix 
notation. 

Source Problems. As in Example 8, R>i(3) denotes the at-least-1 -in-3 relation 
over positive literals and 'R->\(3) = {^>i(3)}- With V>\(S) we denote the set of 
all instances of 7?.> 1(3) -satisfiability problems, and ^>1(3) denotes the 
satisfiability problem. In the same way all dual notions are defined, where “>” 
is replaced by With £1(3) and A lgy^ we denote the protocol and the 
combination algorithm introduced in Definition 6. 

Target Problems. We fix an admissible combination Vt 1 ®T ) t 2 € C q f-d n f- We 
assume that T>t, has the form (TV, , val,), for i = 1, 2. With (St, Alg T , val val 2) 
we denote the quadruple assigned to V t x ® 2?t 2 by Oppen’s Procedure as descri- 
bed in Example 5. 

Encoding Principle. Before we describe the technical details of the encoding, 
two remarks are appropriate. 

1. As a matter of fact we cannot expect to obtain a polynomial interpretation 
between the two combination procedures described above that works for ar- 
bitrary combinations V t x ® T>t 2 £ C q f-d n f- Below we give two sufficient 
conditions on T\ and X2 respectively that guarantee that a uniform polyno- 
mial interpretation exists. Theories that satisfy these two conditions will be 
called theories of type 4 1 and 2 respectively (another possible name would 
be theories of type “> 1(3)” and “< 1(3)”). 

2. From Definition 7 recall that we have to find a translation (3 : St —> 
that encodes scenarios of target problems (i.e, partitions 77 of the set X 
of “shared” variables of the target problem) into scenarios of the source 
problems (i.e., truth value assignments v on the set P of Boolean variables 
of the source problem). The translations of decision problems (i.e., tr 1 and 
tr2 ) will be organized in such a way that for a fixed pair of source and target 
problems we always have PCX. To this end we will assume that the set of 
Boolean variables, Varbooi, is a subset of the set Var of variables that is used 
for formulating instances of 2 ?Ti ® T > t 2 ■ The latter variables will be called 
“syntactic” variables, for simplicity. Note that each Boolean variable is also 
used as a syntactic variable. We assume that Var\ Varbooi is infinite. One 
variable x C Va r\ Var boo i is chosen that plays a special role. The idea for 
the translation (3 is to consider a Boolean variable p £ P to be “true” under 
v = /3(77) iff p £ [xJtj, where [x\n denotes the equivalence class of x w.r.t. 
77. 



Definition 8. Theory 7\ is of type 1 iff there exists a polynomial-time transla- 
tion tri : 7 ? >i(3 ) — > Vtx that, assigns to each at-least-l-in-3 problem over positive 

The word “type” is not used in a formal sense here, and a theory T may have type 
1 and type 2 at the same time. 
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literals ^>1(3) of the form /\ i=1 R>i(3)(Pi 1 ,Pi 2 ,Pi 3 ) with set of Boolean variables 
P a conjunction ^>1(3) of T\-literals with set of variables {xjUPUYi such that 
the following conditions hold: 

” for each subset Q of P with \Q fl {ft 1 ,Pi 2 ,Pi 3 }| = 1 for i = 1 , . . . ,k 5 the 
problem ^>1(3) is satisfiable w.r.t. Tj under the partition II := {{zj-UQ, P\ 
Q} of{x}~UP. 

If is satisfiable w.r.t. T\ under partition II of{x}UP, then | [cc] 77 D 

{Ph,Pi 2 ,Pi 3 }\ > 1 . for alll<i< k 6 , 

Theories of type 2 are defined in the dual way: 

Definition 9. Theory X2 is of type 2 iff there exists a polynomial-time transla- 
tion tr2 : P<i(3) —t Vt 2 that- assigns to each at-most-l-in -3 problem over positive 
literals <p<i(3) of the form Ai=i R<i{3)(PinPi 2 yPi 3 ) with set of Boolean variables 
P a conjunction ^<1(3) of -literals with set of variables {i}UPU}2 such that 
the following conditions hold: 

for each subset Q of P with \Q fl {iV , Pi 2 , Pi 3 }| = 1 for i = 1 ,...,k the 
problem satisfiable w.r.t. T2 under the partition II := {{a;}U( 2 ,P\ 

0 } 0/(2:} UP. 

If ^<1(3) is satisfiable w.r.t. P2 under partition II of {x} U P, then \[x]n fl 
{Pi!,Pi 2 ,Pi 3 }\ < 1 . for all 1 < i < k, 

Theorem 2. Let Tj and T2 be stably infinite first-order theories with disjoint 
signatures. If Ti is of type i, for i = 1 , 2 , then ® Pt 2 is NP-hard and there 
is no polynomial optimization of Oppen’s Procedure for ® Pt 2 • 

Proof. Without loss of generality we may restrict considerations to input formu- 
lae and <p<i(3) which have the dual structure 

k k 

f\R>l( 3 )(Pii,Pi 2 ,Pi 3 ) ancl f\ R <l( 3 )(Pii,Pi 2 ,Pi 3 ) 

i= 1 i —1 

respectively. With P we denote the common set of variables of ^>1(3) and 
p<\(3). Let tri and tr2 be translations with the properties described in Defi- 
nitions 8 and 9 respectively. The sets Y\ and Y 2 of additional variables used in 
translated formulae T>i(3) and respectively are assumed to be disjoint. 

Hence {a:} U P is the set of shared variables of ^>1(3) anc ^ ^<1(3)- 

We define the following mapping [3 : St —> <S-|( 3 ). If 77 is a partition of 
X C Var, then / 3 (II) is the empty truth value assignment if x ^ X. In the other 

5 The condition expresses that Q defines a solution of the exactly- 1 -in- 3 problem 
/\ k i= 1 R =m{pii,Pi 2 ,Pi 3 )- 

6 With comment 2 above, the condition expresses that [i]j7 fl P defines a solution of 
ALi R >H 3 ){Pil,Pi 2 ,Pi 3 )- 
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case, /3(77) is defined on all Boolean variables of X. For a Boolean variable p G X 
we define /3(77)(p) = 1 iff p € [x\n- 

We now show that the mappings (3, tri and tr 2 satisfy the conditions for a 
polynomial interpretation of Alg ± ^ in Alg T specified in Definition 7. By choice 
of tri and tr 2 , and by definition of (3, these mappings are polynomial-time com- 
putable. 

We show that Condition 1 of Definition 1 is satisfied. Let v be a truth value 
assignment in Alg-^g) (£> 1 ( 3 ) A £< 1 ( 3 )) that satisfies both <£> 1 ( 3 ) and <£< 1 ( 3 )- We 
assume that v has domain P. Let Q := {p £ P \ v(jp) = 1}. Let II denote 
the partition {{a;} UQ,P\Q} of {cc} U P. We have | Q fl {pi 1 ,Pi 2 ,Pi 3 }\ = 1 for 
i = Condition >” for theories of type 1 (resp. 2) guarantees that the 

problem £> 3 ( 3 ) (resp. £< 3 ( 3 )) is satisfiable w.r.t. T\ (resp. T 2 ) under 77. Since 

77 is in A7g T (£>t(^ 3 ) A <£< 3 ( 3 )) we are done. 

We verify Condition 2 of Definition 7. Let 77 £ Aig T (£>:[^ A 4 r i 2 (3)) and 
assume that both <£>}( 3 ) and £< 3 ( 3 ) are satisfiable (w.r.t. Tj resp. T 2 ) under 
partition 77 of {x} U P. Since x belongs to the set of shared variables of £>J( 3 ) 
and and since P is the subset of all Boolean variables among the set 

of shared variables it follows that /3(77) is defined exactly on P, hence we have 
/ 3(77 ) € A 7 g 1 ( 3 )(<£> 1 ( 3 ) A <£<i( 3 )). Conditions ' ” for theories of type 1 and 2 

guarantee that | [ai] 77 D {p n , pi 2 , Pi 3 } | = 1 for all 1 < i < k. It follows that /3(77) 
solves £1 and £ 2 . 

We have shown that tri, tr 2 and (3 define a polynomial interpretation of 
Alg±( 3 ) in Alg T . Using Lemma 2 and Theorem 1 the result follows. □ 



Some Theories of Type 1 In the sequel we list some examples of theories 
of type 1. In each case it is simple to see that the theory is stably infinite. In 
order to show that the theory is of type 1 we generally assume that an at-least-1- 
in-3 problem over positive literals, £>1(3), of the form Ai=i -^>1(3) (p*d Phi Pi 3 ) 
with set of Boolean variables P is given. In the examples below we only give 
the polynomial-time translation into a qf-dnf formula £^L 3 ,. One restriction is 

imposed on £^L 3 ,. Remark 2 indicates that in some cases impossibility results 
for polynomial optimization can be misleading if the input formulae contain 
equations or disequations between variables. For this reason we demand that 
£> 1 ( 3 ) d° es n °t contain any equation or disequation between variables. 

Example 9. Let T\ denote the theory of integers with addition +, standard or- 
dering < and successor s. Let £>J( 3 j denote the conjunction of all formulae of 
the form 



x = x + x A pi x + pi 2 + pi 3 < s(s( x + x)) A x + x < pi 1 A x + x < Pi 2 A x + x < pi 3 

for 1 < i < k. We verify condition > ” of Definition 8. If Q is a subset of P 
with | Q D {jg, , p l2 , pi 3 } | = 1 for i = 1, . . . ,k then we may use the standard model 
of Tj and map variables in {x} U Q to 0 and variables in P\Q to 1. This shows 
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that <^>1(3) is satisfiable w.r.t. T x under the partition 77 := {{a:} U Q, P \ Q} of 
{x} UP. We verify condition ” of Definition 8. If satisfiable w.r.t. 

Ti under partition 77 of {a:} U P, then obviously \[x\n fl {p^jP^iP^yi > 1> for 
all 1 < i < k. 



Example 10. Let Tj denote the theory of natural numbers with addition + and 
successor s. We show that Tj has type 1. Let denote the conjunction of 

all formulae of the form 

x = x + x A + p i2 + Pi 3 < s(s(x + x)) 

for 1 < i < k. Conditions >” and of Definition 8 can be verified as in the 
previous example. 



Example 11. Let Tj denote the theory of any infinite ring with 0, without zero- 
divisors (e.g. integers, rationals, reals, complex numbers). Let pXiU) denote the 
conjunction of all formulae of the form 

x = 0 A p tl ■ pi 2 ■ pi 3 = 0 

for 1 < i < k. Conditions >” and of Definition 8 can be verified as in the 
preceding examples. 

Example 12. ([Op80,DS78]) Let 7j denote the theory of arrays over the signature 
{sel, store} with the axioms 

VvVeVi : sel(store(v, i, e),i) = e, 

VvVeVWj : i j — > sel(store(v,i,e),j) = sel(v,j), 

VwVi : store(v,i,sel(v,i)) = v, 

WVWeV / : store(store(v, i, e), i, f) = store(v, i, /), 

VuVfVjVeV/ : i j — > store(store(v , i,e),j,f) = store(store(v, j, f),i,e). 

Here sel(v , i) is meant to denote the 7-th field v [z] of the array v, and store(v, i, e ) 
is the array whose 7-th component is e and whose j-th component for 7 j is 
v[j}. Downey and Sethi [DS78] have shown that the satisfiability problem for qf- 
dnf formulae of this theory is NP-complete. Let denote the conjunction 

of all formulae of the form 

store(store(store(v,pi 1 ,e),pi 2 ,e),pi 3 ,e)[x\ v[x] 

for 1 < 7 < k. We verify condition > ” of Definition 8. If Q is a subset of P with 
I Qnjpjj, Pi 2 , Pi 3 } | = 1 for 7 = 1, . . . , k it is obviously simple to find an infinite 
model of 7\ and a satisfying variable assignment where all variables in Q U {x} 
(resp. P\Q) are identified. We verify condition ” of Definition 8. A valid 
sentence of T\ expresses the following: if we store in array v at positions p n , pt 2 , 
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Pi 3 the element e, and if in the new array w that is obtained after these three 
operations we have a new element stored at position x, then x must coincide 
with at least one of the positions , pi 2 , pi 3 . Hence, if is satisfiable w.r.t. 

Ti under partition 77 of PU {a:}, then we have | [a ;] n (~l {_Pi 1 ,Pi 2 >.Pi 3 }| > 1, for all 
1 < i < k. 



Example 13. Another series from examples comes from the area of equational 
theories. It turns out that for various equational theories E the full first-order 
theory Te of the quotient term algebra T(£,Var)/=E is of type 1. As one 
example consider the theory E that expresses commutativity of the function 
symbol /. Let denote the conjunction of all formulae of the form 

)) = f{f(Ph,Pi 2 ),f{Pi 2 ,Pi 3 )) 

for 1 < i < k. We verify condition > ” of Definition 8. If Q is a subset of P with 
| Q Cl \jpi i , Pi 2 1 } | = 1 for i = I, • • • , k we can give an assignment in the standard 

model that satisfies under the partition {{a:} U Q, P \ Q} of {a:} U P. 

We verify condition “■£- ” of Definition 8. The sentence Va HyVuVv : f(x, y) = 
f(u, v) — > (x = y V x = v) is a valid sentence of Te- Hence, if is satisfiable 

w.r.t. Te under partition II of P U {a;}, then we have | [x\ n fl {pi 3 , pi 2 ,Pi 3 }\ > 1, 
for all 1 < i < k. 

Example 1 f. Other examples are provided from formalizations of set theory 
where elementship and finite set construction is expressible. If we can write 
a formula that expresses x € {Pi,i,Pi, 2 ,Pi, 3 }, then the conjunction of all such 
formulae for 1 < i < k can be used to verify that the theory is of type 1. 



Some Theories of Type 2 We also list some examples of theories of type 2. 
All theories below are stably infinite. In order to show that a given theory is of 
type 2 we generally assume that an at-most- l-in-3 problem over positive literals, 
<£<i( 3 ), of the form Af=i -^’< 1 ( 3 ) (p-ii ; Ph ■ P13) with set of Boolean variables P is 
given. We give a polynomial-time translation into a qf-dnf formula <7><i( 3 )- As 
in the case of theories of type 1 we demand that ( i oes n °t contain any 

equation or disequation between variables. 

Example 15. Let T 2 denote the theory of equality with function symbols in the 
signature E 2 . The theory contains all sentences that are valid in all ^-algebras. 
Assuming that f £ E 2 is binary, an example is MxVyMz : x = y — > f(x,z ) = 
f(y,z). Nelson and Oppen [N079] give an 0(n 2 ) decision procedure for the 
qf-dnf theory. Let denote the conjunction of all formulae of the form 

f(Pn,Pi 3 ) A f(x,x) A f(p i 2 ,Pi 3 ) A f(x,x) A f(p i 3 ,Pi J A f(x, x) 

for 1 < i < k (a similar encoding is possible as soon as E 2 contains any function 
symbol of arity k > 2). We verify condition ” of Definition 9. If Q is a subset 
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of P with |Q fl {Pi! ,Pi 2 ,Pi 3 }| = 1 for i = 1 ,k, then obviously the problem 
<p<i( 3 ) satisfiable w.r.t. T 2 under under the partition 77 := {{a;}UQ,P\Q} of 

{x} U P. We verify condition ” of Definition 9. If is satisfiable w.r.t. 

T 2 under partition 77 of {a:} U P, then obviously \[x\n fl \p ll , Pi 2 1 Pis } I < 1? for 
all 1 < i < k. 



Example 16. Let T 2 denote the theory of arrays as introduced in Example 12. 
Let denote the conjunction of all formulae of the form 

store(store(pi 1 , e) , pi 2 , e) y^ store(v, x, e ) 

A store(store(pi 2 , e) , pi 3 , e) y^ store(v, x, e) 

A store(store(pi 3 , e) , p q , e) y^ store(v, x, e ) 

for 1 < i < k. It is simple to see that with this translation conditions “-a” and 
” of Definition 9 are satisfied. Hence, here we have a theory that both has 
type 1 and type 2. 

Example 17. Let T 2 denote the theory of some infinite monoid (e.g., natural, 
integers, rationals, reals) with multiplication and neutral element 1. Let 
^<i( 3 ) denote the conjunction of all formulae of the form 



x 1 A pi 3 • Pi 3 yf 1 A Pi 2 • Pi 3 / 1 A pi 3 • Pi 3 1 



for 1 < i < k. It is simple to see that with this translation conditions >” and 
of Definition 9 are satisfied. 



Example 18. As in the case of type 1 it turns out that for various equational theo- 
ries E the full first-order theory Te of the quotient term algebra T(E, Vai)/=E 
is of type 2. As one example consider the trivial theory E with axiom {f(x, y) = 
f(x,y)}. Let denote the conjunction of all formulae of the form 

f(Pii,Pi 2 ) f(x,x) A f(p i2 ,Pi 3 ) yf f(x,x) A f{pi 3 ,Pif) yf f{x,x) 

for 1 < i < k. It is simple to see that with this translation conditions >” and 
of Definition 9 are satisfied. The same translation works for most other 
equational theories with a binary symbol /. 



8 Intractable Combined ^-Unification Problems 

As a second and final illustration we now want to use Theorem 1 for obtaining 
NP-hardness results and impossibility results for polynomial optimizations for 
admissible combinations of 77-unification problems such as considered in Exam- 
ple 6. The results obtained here generalize previous results given in [Sc97,Sc99] . 
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Source problems. Let i?>i( 3 ), P->i( 3 ), R>i( 3 )i P>i( 3 ) be defined as before, as 
well as the dual notions and and Alg^y 

Target problems. We fix an admissible combination T>e 1 ®T ) e 2 € C un if. We 
assume that V Ei has the form (Ve,, vai*), for i = 1,2. With ( S E ,Alg E , val'l , valg) 
we denote the quadruple assigned to T>e 1 ®T>e 2 by the combination method for 
^-unification algorithms described in Example 6. 

Encoding principle. The main task, as in the previous section, is to define 
a translation /? : Se —> ( 3 ) that assigns a truth value assignment v to a 

given linear constant restriction L = (77, Lab, <l)- Recall that 77 represents 
a partition on the set X of variables of the combined equational unification 
problem. Hence we may use the same encoding principle as in the previous 
section: for some selected and fixed non-Boolean variable x, a Boolean variable 
p € P is interpreted to be “true” under v iff p € [x\n, where [x]n denotes 
the equivalence class of x w.r.t. 77. As technical prerequisites, as in the previous 
section we assume that Var 6oo | C Var and that Var\Varj too i is infinite. Here Var is 
the set of “syntactic” variables occurring in instances of T>e 1 ®T>e 2 - Furthermore 
we assume that x £ Var \ Var^ 00 i is the first variable in the given enumeration 
of Var. Hence, when choosing representatives for equivalence classes of 77 as 
described in Section 3.2, x is always its own representative. 

For defining equational theories of type 1, the following notion is needed. Let 
X be a finite set of variables containing x. A plain linear constant restriction for 
X is a linear constant restriction (77, Lab, <) for X with the following properties: 

1. each equivalence class of 77 with the possible exception of [x}rr is a singleton, 

2. all Boolean variables in X, as well as x, receive label E 2 , all other variables 
receive label Si, 

3. variables with label S 2 are smaller w.r.t. “<” than variables with label Id- 



Definition 10. The equational theory E\ is of type 1 iff there exists a polynomial- 
time translation 

tr 1 : V>i(3) -> V El 

that assigns to each at-least-l-in-3 problem over positive literals <^>i( 3 ) of the 
form /\i = 1 R>i(3)(Pn,Pi 2 ,Pi 3 ) with set of Boolean variables P a conjunction 
V>\( 3 ) °f e l emen t a ry Ei-unification problems with set of variables {a:} UPUFi 
such that the following conditions hold: 

>” for each subset Q of P with \Q (~l {pinP^jPi^l = 1 for i = 1, . . . , k there 
exists a plain linear constant restriction L\ = (TZpLabi, <) for {x}UPUYi 
such that [x]n = QU {a:} and is solvable under Li. 

If is solvable under the linear constant restriction L with partition 

77 where variables in {a:} U P receive alien label and for i = 1, . . . , k 
the elements belong to distinct equivalence classes, then \[x\n fl 

{Pii,Pi 2 ’Pi s }\ > for all 1 < i < k, 
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Definition 11. The equational theory E 2 is of type 2 iff there exists a polynomial- 
time translation 

t ’ 1 2 ■ P<1(3) ~ t Pe 2 

that assigns to each at-most-l-in-3 problem over positive literals T<i( 3 ) °f the 
form A* fe =i R<i( 3 )(Pii,Pi 2 ^Pi 3 ) w tth set of Boolean variables P a conjunction 
^<i( 3 ) °f elementary E 2 -unification problems with set of variables {a:} U P U Y 2 
such that the following conditions hold: 

for each subset Q of P with \Q fl {p^jP^jPi^l = 1 for i = 1 ,k there 
exists a solution a 2 of that identifies all elements of Q U {x}. 

If <^<^( 3 ) is solvable under linear constant restriction L with partition IT, 
then variables in {ar} U P receive domestic label S 2 and for 1 < i < k the 
variables p^^p^tP^ have distinct equivalence classes w.r.t. II, in particular 
\[x\ n n {Pn,Pi 2 ,Pi 3 }\ < l). 

As to the conditions ” there is an unsymmetry between theories of type 1 
and 2 respectively. For theories of type 2 (resp. 1) we have refined (relaxed) 
the basic requirement which says that |[a ;]/7 fl {p 2 l , pi 2 , Pi 3 }\ < 1 (resp. |[ar]ij fl 
{Ph 1 P 12 , 7*13 }| > 1) f° r all 1 < i < k. This is motivated by the special properties 
of the classes of equational theories that we treat below. 

Theorem 3. Assume that Ei is of type i, for i = 1,2. Then T>e i 0 77 e 2 is NP- 
hard and there is no polynomial optimization of the combination algorithm for 

De 2 © Pe 2 ■ 

Proof. We define the mapping ft : Se — > <Si( 3 ). If L is a linear constant restriction 
on X C Var with partition 17, then (3(L) is the empty truth value assignment if 
x X. In the other case, (3 (7) is defined on all Boolean variables of X. For a 
Boolean variable p £ X we define (3(L)(p) = 1 iff p £ [x]n- 

We verify Condition 1 of Definition 1. Let v be a truth value assignment 
in A7g 1(3) (<p> i( 3 ) A</?<i( 3 )) that satisfies both ^>i( 3 ) and ^<i( 3 )- Let tri, tr 2 , P , 
Y\ and Y 2 be defined as in Definitions 10 and 11. Let Q := {p £ P \ v(p ) = 1}. 
Since Ei has type 1 (cf. “—>•”) there exists a plain linear constant restriction 
L\ = (III, Labi, <i) for {x} UPUb such that [x]n 1 = {x} U Q and ^> 1 ( 3 ) 
solvable under restriction L\ . Since Li is plain, all classes (yjrix for y S Yi are 
singletons. Let cy be a solution. Since E 2 has type 2 (cf. “—>•”) there exists a 
solution cr 2 of that identifies all elements of Q U {rr}. 

Let 77 be the partition 77 1 U {{y} | y £ Y 2 } that treats the elements of Y 2 as 
singletons. Let Lab be the extension of Labi where the elements of Y 2 receive 
label S 2 . Let < be an extension of <1 where the additional elements in Y 2 are 
strictly smaller than the elements in {ar} UPUl). Obviously L (77, Lab, <) 
is in Alg E (ip t .f(^ A <P<i( 3 ))- We claim that both (<P>i( 3 ))L) and (<P<i m,L) are 
solvable. 

We show that a 1 solves (<P>i( 3 p -L). W.l.o.g. we may assume that crffy) = y 
for all y GY 2 . Since 01 solves ( < P>q 3 ) ) Li) we know that for all y € PU{;r}UYi 
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we have cti (y) = o\ (rep ni (y)) = a 1 (rep n (y)). For y £ Y 2 we have a^y) = y = 
rep n (y) = <Ji(rep n (y)). Hence ay satisfies the first condition of Definition 1. 
For alien variables y £ Y 2 we have o\ (y) = y = rep n (y). For alien variables 
y £ P U {x} we have cri(y) = rep ni (y) since o\ solves (£>p 3 ), Li). It follows 
that <Ji(y) = rep n {y ) and cri satisfies the second condition of Definition 1. Since 
all alien variables (i.e., the variables in P U {x} U Y 2 ) are smaller w.r.t. < than 
domestic variables (i.e., the variables in Y\) it follows that tJi satisfies the third 
condition of Definition 1. Summing up, we have seen that <j\ solves (<£>(( 3 p L) . 

W.l.o.g. we may assume that a 2 (y) = y for all y £Y\. Hence a 2 satisfies the 
second condition of Definition 1. Because a 2 identifies the elements of Q U {x} 
and all other classes of 17 are singletons it follows that a 2 satisfies the first 
condition of Definition 1. The formula <^< 1 ( 3 ) does not contain any alien variable 
in Y\ , hence we may assume that the variables of Y\ do not occur in any term 
cr 2 (y) for y £ {®} U P U Y 2 . This shows that a 2 satisfies the third condition of 
Definition 1. Summing up, we have seen that a 2 solves (£<p 3 ), L). 

We verify Condition 2 of Definition 7. Let L = (77, Lab, <) be a linear 
constant restriction in Alg E (ip t if^ 3 ^ A v>>W and assume that both <£>(( 3 ) and 
^< 1 ( 3 ) are s °l va ble under L. Since E 2 is of type 2 (cf. “•«—”) this implies that 
variables in {x} U P receive label S 2 and for 1 < i < k the variables p ^ , pi 2 , pt 3 
have distinct equivalence classes w.r.t. 77. In particular \[x]n C {p^ , pi 2 , pi 3 }\ < 1. 
Since E\ is of type 1 (cf. “•<—”) we conclude that \[x\n D {Pi^^P^^i^W > 1 for 
1 < * < k. It follows that /3(L) satisfies <p>i( 3 ) and <^< 1 ( 3 ) • Obviously (3{L ) is in 
^lg'l(3)( < f J >l(3) A ^<1(3))- 

We have shown that tr\, tr 2 and f) define a polynomial interpretation of 
A7gi (3 ) in Alg E . Using Lemma 2 and Theorem 1 the result follows. □ 

Lemma 4. Let E\ be a regular equational theory. If E\ contains a commutative 
function symbof , or an associative function symbol, then E\ is of type 1. 

Proof. Let E\ be regular and assume that “/” is a commutative function sym- 
bol of Ei. Let (£>i( 3 ) := Ai=i R<i{S)(PinPi- 2 iPi 3 ) be an at-most-l-in-3 problem 
over positive literals with set of Boolean variables P. Let £>(( 3 ) denote the 
conjunction of all formulae 

f(f(x,yi),f(ui,Vi)) = fifiPi^Pi^JiPi^Pis)) 

for i = 1 ,k where x,y 1 , . . . , yk, Ui, ■ ■ ■ , Uk , Ui, . . . , Vk are distinct variables. 
Obviously tr± : V>i( 3 ) —t Ve 1 is polynomial-time computable. 

We verify condition for theories of type 1. Let Q be a subset of P 
that contains exactly one literal from each clause. Let L\ = (77, Lab, <) be 
a plain linear constant restriction for Va r(<£>J( 3 )) such that [x\n = {^} U Q. 

Obviously, since / is commutative there is a solution of £>p 3 ) that maps all 

7 Here a binary function symbol “/” is called a commutative (resp. associative) func- 
tion symbol of E\ if / belongs to the signature of Ei and if Ei |= V®, y : f(x, y) = 
f(y, x ) (resp. Li \= V®, y, z : f(x, f(y, z)) = f(f{x, y), z)). 
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variables in Q to x and the variables y, , u , , ty to elements in [p tl , p i2 . p l:s } for 
1 < i < k. Elements of P \ Q are left fixed under ay . We show that a\ solves 
(^> 1 ( 3 )’ ^i)- Since L i is plain all equivalence classes of 77 with the exception of 
[x]n = Q U {a;} are singletons. It follows that o\ satisfies the first condition of 
Definition 1. Since L\ is plain, PU{x} is the set of alien variables. For y £ QUja:} 
we have <Ti(y) = x = rep n (y) since by assumption x is the smallest variable of 
Var. The remaining equivalence classes of P U {x} are singletons of the form 
{Pij} and we have <ti (PiA = Pi j = rep n (pi j ). This shows that a± satisfies the 
second condition of Definition 1. Since L\ is plain, alien variables are smaller 
w.r.t. < than domestic variables. It follows that <J\ satisfies the third condition 
of Definition 1 and solves (^>i( 3 p L{). 

We verify condition ” for theories of type 1. Assume that T>i( 3 ) is sol- 
vable under the linear constant restriction L with partition 77 where variables 
in {x} U P receive alien label E 2 and for i = 1 , ,k the elements pi 1 . p l2 , Pi 3 
belong to distinct equivalence classes. Let a be a solution. Since a maps each 
element y of {x^p^^p^jp^} to a variable of the form rep n (y) (cf. Def. 1) it fol- 
lows from Remark 1 that cr(a;) = rep n {x) must coincide with one of the elements 
re P n (Pii)i r ep n (p i2 ) or rep n (p i3 ). Hence \[x] n n {p ll ,Pi 2 ,Pi 3 }\ > 1- 

In the situation where E contains an associative function symbol “o” we use 
as ^> 1 ( 5 ) conjunction of all formulae 

y z oxoui= p. h o p n o p i2 o p i3 o Pi3 . 

and proceed similarly as above. □ 

Lemma 5. Let E 2 be a simple equational theory. Assume that the signature E 2 
of E 2 contains at least one function symbol of arity k > 1. Then E 2 is of type 2. 

Proof. For simplicity we assume that A 2 contains a binary function symbol 
/. (The case where / is unary can be treated in the same way, omitting all 
arguments u in the terms below. If / has arity k > 3, use k — 1 arguments u 
instead of a single one.) Let <p<i( 3 ) ;= Ai=i -R<i( 3 )(Pii) 7 , * 2 >.Pi 3 ) be an at-most- 
l-in-3 problem over positive literals with set of Boolean variables P. Let ^>< 1 ( 3 ) 
denote the conjunction of all formulae 

Pii = f(u,Vi) 

A Pi 2 = f(u,f(u,yi)) 

A Pi 3 = f(u,f{u,f(u,yi))) 

A x = f (it, vf) 

for i = 1, . . . , k where x, y\, . . . , yk, u, tq, . . . , Vk are distinct variables and the 
Pi are treated as syntactic variables now (1 < i < k, j = 1,2,3). Obviously 
tr 2 : ^< 1 ( 5 ) — > Ve 2 is polynomial-time computable. 

IFe verify condition > ” for theories of type 2. Let Q be a subset of P that 
contains exactly one literal from each clause. For i = define er 2 ( 2 ) := 
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<j 2 (vi ) = f(u,f(u,z)) and 

( f(u,f(u,z)) if p. h e Q, 
cr 2 (yi) ■= < f(u,z) if p i2 e Q, 

[ z if p i3 e Q, 

where z is a new variable and 

(PiJ '■= f(u,a 2 (yi)), 

& 2 (Pi 2 ) := f(u,f(u,a 2 (yi ))), 

02(ft 3 ) ; = f(u,f(u,f(u,a 2 (yi)))). 

Obviously all elements of Q U {a;} are mapped to f(u,f(u,f(u,z))) under a 2 . 
Furthermore, a 2 is a syntactic unifier of <^< 1 ( 3)1 hence it is a solution of 

We verify condition ” for theories of type 2. Assume that ^< 1 ( 3 ) is unifia- 
ble under the linear constant restriction L with partition II, say, with unifier a 2 . 
Obviously, since E 2 is simple the three variables p tl , p,; 2 , pi 3 cannot be identified 
by a 2 modulo E 2 (1 < i < k). Condition 1 of Definition 1 shows that the three 
variables Po , Pi 2 1 Ph must belong to distinct equivalence classes w.r.t. 77. Furt- 
hermore, since E 2 is simple all variables in PUji} have to receive domestic label 
S 2 in L: we show this for x, the proof for the other variables is the same. As- 
sume that x is treated as an alien variable. Then, by Definition 1 Nr. 2, we have 
<j 2 (x) = rep n {x)=Ef(,er 2 (u), cr 2 (vi)). Since E is simple, the variable rep n (x) can- 
not occur in f(a 2 (u), a 2 (vf)). Let x' be a variable such that rep n {x ) x' . App- 

lying the substitution rep n (x) 1 — > x' we obtain rep n (x)=Ef(& 2 (A), o’ 2 (vi))=Ex' . 
This would mean that E 2 is trivial, a contradiction. □ 

From Theorem 3, Lemma 5 and Lemma 4 we get the following results, which 
generalizes Theorem 12 of [Sc97]. 

Corollary 1. Let E\ and E 2 be equational theories over disjoint signatures. 
Assume that E 1 is regular and E 2 is simple. If the signature of E\ contains 
a commutative function symbol, or an associative function symbol, and if the 
signature of E 2 contains at least one function symbol of arity k > 1, then T>e 1 © 
T>e 2 is NP-hard and there is no polynomial optimization of the combination 
algorithm for Ve x ®P > e 2 - 

9 Conclusion 

We conclude with a brief discussion of three questions that are raised by the 
results of the preceding section. 

7. Is a protocol needed for deciding combined problems? Naively, combination 
algorithms are often described in an informal way by saying that they allow to 
combine existing decision procedures (resp. unification algorithms, etc.) for the 
component theories into a decision procedure (resp. unification algorithm, etc.) 
for combined input problems. The notion of a protocol-based combination algo- 
rithm emphasizes that some kind of additional restriction has to be imposed on 
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the “original” component problems that are obtained via decomposition of com- 
bined input problem. Consequently, some form of adapted decision procedures 
are needed for the component problems that can handle these restrictions. 

It can be shown that both for Oppen’s Procedure and for combination of 
E-unification algorithms at least some kind of synchronization between the so- 
lutions of component problems is needed: in both cases it is not difficult to 
describe mixed input problems ipi A <p 2 where the input component problems ip\ 
and ip 2 evaluate to 1 w.r.t. the original (unadapted) decision procedures of the 
first and second component theory respectively, but p\ A p% evaluates to 0 w.r.t. 
the union of the theories. 

2. How significant is the difference between the original input component 
problems and those with scenarios? The combination method for generalized 
satisfiability problems introduced in Definition 6 shows that component pro- 
blems with scenarios can be much simpler than the input component problems. 
However, the converse is also possible: recently F. Baader [Ba98] has shown that 
satisfiability of Boolean unification problems with linear constant restriction is 
PSPACE-complete. It is known that elementary Boolean unification (Boolean 
unification with constants) is NP-complete (resp. 7T 2 -complete). It is currently 
unknown if there exist equational theories E where E-unification with constants 
is decidable and E-unification with linear constant restriction is undecidable. 

Even in the case of Oppen’s procedure it is remarkable that component pro- 
blems with scenarios in general contain disequations even if the input component 
problems do not use negation. 

3. Is it possible that there are several protocols that may be used? In this case, 
how do impossibility results for polynomial optimization depend on the chosen 
protocol? Since obviously distinct protocols may be equivalent in terms of the 
solvability conditions which they impose on component problems the answer to 
the first question is affirmative. It seems interesting to introduce a formal notion 
of equivalence between protocols and protocol-based combination methods that 
apply to the same combined decision problems. 

The following result seems to indicate that, as a default, impossibility re- 
sults for polynomial optimization of one protocol-based combination method 
for a combined decision problem carry over to other protocol-based combina- 
tion methods for the same combined decision problem. Assume we have two 
protocol-based methods, 

( S , Alg , val{, vail) and (S', Alg 1 , vail', val 2 ) 

for T > i ® X >-2 . Assume that we have a polynomial optimization of Alg , but not 
for Alg. Then for each combined instance p\ A <p 2 the following holds: for each 
scenario S' € Algf (p iA</? 2 ) such that vail (pi, S') = 1 = val 2 (p 2 , S') there exists 
a scenario S € Alg(p i A </? 2 ) such that va ll(pi,S) = 1 = val^(p 2 , S). However, 
there is no polynomial-time computable function /3 : S' —>■ S such that always 
vail' (pi, S') = 1 = val s 2 '(p 2 , S') implies valffpi, (3(S')) = 1 = val s 2 (p2,(3(S')). 
Even if we cannot exclude such a situation, it seems to be unusual. 
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Abstract. We introduce the notion of an associative-commutative con- 
gruence closure and show how such closures can be constructed via 
completion-like transition rules. This method is based on combining com- 
pletion algorithms for theories over disjoint signatures to produce a con- 
vergent rewrite system over an extended signature. This approach can 
also be used to solve the word problem for ground AC-theories without 
the need for AC-simplification orderings total on ground terms. 
Associative-commutative congruence closure provides a novel way to con- 
struct a convergent rewrite system for a ground AC-theory. This is done 
by transforming an AU-congruence closure, which is described by rewrite 
rules over an extended signature, to a rewrite system over the original 
signature. The set of rewrite rules thus obtained is convergent with res- 
pect to a new and simpler notion of associative-commutative reduction. 



1 Introduction 

Congruence closure algorithms have been used to decide if an equality s ss t 
logically follows from a set of equalities E = {si « ti,S 2 ~ t 2 , — ‘, s k ~ tfc}, 
where all terms are constructed from uninterpreted or free function symbols and 
constants. They also provide a decision procedure for validity problem in the 
quantifier- free theory of equality (with uninterpreted function symbols) [15] . 

The Nelson-Oppen method [14,17,19] is a general procedure to decide satisfia- 
bility of quantifier-free formulas in combination of certain 1 first-order theories. 
The crucial steps involved are variable abstraction and equality propagation. 
The Nelson-Oppen method can be used to obtain a decision procedure for the 

* The research described in this paper was supported in part by the National Science 
Foundation under grants CCR-9902031, CCR-9711386 and EIA-9705998. 

1 Each individual theory is assumed to be a stably infinite first-order theory (with 
equality) over a disjoint signature such that satisfiability of quantifier-free formulas 
in the theory is decidable. 
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quantifier-free theory of equality (with uninterpreted function symbols I?)-as 
the quantifier-free theory of equality over £ can be viewed as a combination of 
the quantifier-free theory of equality over the singleton sets £ t = {/}, where £ 
is a disjoint union U i£i of these sets. 

Reconciling these two approaches for deciding satisfiability of quantifier-free 
formulas (in the theory of equality with uninterpreted function symbols) leads to 
the concept of an abstract congruence closure, as described in [3]. In this paper, 
we extend this notion to include associative-commutative function symbols. In 
other words, some function symbols in £ are assumed to satisfy the associativity 
and commutativity axioms. Thus, if / is such a symbol, the theory over £ t = {/} 
is that of a commutative semigroup (and not just the pure theory of equality). 

We formally define an associative-commutative congruence closure in Sec- 
tion 2 and present a set of completion-like transition rules to construct such 
closures in Section 3. We prove the correctness of the transition rules using 
concepts of proof simplification and normalization, and also establish its termi- 
nation in Section 4. This establishes decidability for ground AC-theories without 
the use of AC-simplification orderings that are total on ground terms [13,11]. 
The construction of AC-congruence closure can be optimized. We discuss some 
optimizations in Section 5. 

We also consider the problem of constructing a convergent rewrite system 
(over the same signature) for a ground AC-theory. However, rather than obtai- 
ning a system R of rules such that ~^AC\R e is convergent, we construct a set R 
such that a different reduction relation, which we denote by ~^p\rb is conver- 
gent. This new notion is much simpler than usual rewriting modulo AC. This 
set is constructed by transforming the obtained AC-congruence closure, which 
is a convergent system over an extended signature, to a set over the original 
signature, see Section 6. 

Preliminaries 

Let A be a signature consisting of constants and function symbols, and V be 
a set of variables. The arity of a symbol / in £, denoted by a(f), is a set 
of natural numbers. The set of ground terms T(£) over £ is the smallest set 
containing {c £ £ : a(c) = {0}} and such that /(ti, . . . ,t n ) £ T{£) whenever 
/ £ £,n £ a(f) and t\, . . . ,t n £ T{£). The symbols s,t,u,... are used to 
denote terms; ., function symbols; and x, y,z, . . ., variables. We write E[t] 

to indicate that an expression E contains t as a subterm and (ambiguously) 
denote by E[u\ the result of replacing a particular occurrence of t by u. (The 
same notation will be employed if Li is a set of expressions.) By Ea we denote 
the result of applying a substitution a to E. 

An equation is a pair of terms, written s ss t. We usually identify the two 
equations s ss t and t ss ,s: if the distinction is important, we call the equation 
a rewrite rule and write s t. A rewrite system is a set of rewrite rules. The 
rewrite relation -^r induced by a set of equations R is defined by: u -^r t if, 
and only if, u contains a subterm la and t = u\ra\, f° r some rewrite rule l — > r 
in R and some substitution a. 
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A term t is said to be in normal form with respect to a rewrite system R, or 
in R-normal form, if there is no term u, such that t u. A rewrite system is 
said to be (ground) confluent if all (ground) terms have a unique normal form. 
Rewrite systems that are (ground) confluent and terminating are called (ground) 
convergent. 

The set of 27-terms with variables in V is denoted by T(2 7, V). The equational 
theory induced by a set £ C T(27,V) x T(2 7, V) of equations is defined as the 
reflexive, symmetric, and transitive closure of the rewrite relation induced by £ . 
The pure theory of equality is obtained when the set £ is empty. If Sac C 27 is 
a finite set of function symbols, we denote by P the identities 

f(xi,... ,x k ,s,y i,... ,yi,t,z i,... ,z m ) « f(x i,... ,x k ,t,y i,... ,yi,s,z i , , Zqjl ) 

where / G Sac and k + l + m € «(/); and by F the set of identities 

f( x i , . . . , XfYi , f(yi,---,y r ),Zi,...,Zn) « f{xi, . . . ,x m ,yi, . . . ,y r , Zi, . . . , z n ) 

where / € 27^c and {m+n+1, m+n+r} C a(/). The congruence induced by P 
is called a permutation congruence. Flattening refers to normalizing a term with 
respect to the set F (considered as rewrite rules). The set AC = FUP defines an 
AC-theory. The symbols in Sac are called associative-commutative operators 2 . 
We require that a(f) be singleton for all / € 27 — 27^c and a(f) = {2,3,4, . . .} 
for all / G Sac- 

Rewriting in presence of associative and commutative operators requires 
extensions of rules [16]. Given an AC-operator / and a rewrite rule p : 
/(ci, . . . , Cfc) — > c, we define its extension p e as /(ci, . . . , c*,, x) — > f(c, x). Given 
a set of rewrite rules R, by R e we denote the set R plus extensions of rules 
in R. In short, when working with AC-symbols (i) extensions have to be used 
for rewriting terms and computing critical pairs, and (ii) syntactic matching 
and unification is replaced by matching and unification modulo AC. Reduction 
modulo AC is defined by s —>ac\r t iff there exists a rule l — > r in R and a 
substitution a such that s = s[l'}, l' * AC ^ an d ^ = s[ra]; see [6] for details. 

A multiset over a set S is a mapping M from S to the natural numbers. 
Any ordering >- on a set S can be extended to an ordering >- mult on multisets 
over S as follows: M )~ mult N iff M ^ N and whenever N( x) > M(x) then 
M(y) > N(y), for some y >~ x. The multiset ordering y mult (on finite multisets) 
is well founded if the ordering >~ is well founded [7]. Multiset inclusion is defined 
as M C N if M(x) < N(x) for all x € S. 

We consider the problem of deciding satisfiability of quantifier-free formulas 
in an equational theory presented by £. When £ is empty, congruence closure 
provides an efficient procedure [15]. The notion of AC-congruence closure handles 
the case when £ = AC. 

2 The equations F U P define a conservative extension of the theory of associativity 
and commutativity to varyadic terms. For a fixed arity binary function symbol, the 
equations f(x,y) « f{y,x) and f(f(x,y),z) « f{x,f(y,z)) define an AC-theory. 
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2 Associative-Commutative Congruence Closure 

Let £ be a signature, and E a set of ground equations over £. Let Sac be some 
subset of £, containing all the associative-commutative operators and AC be 
the set F U P as defined above. The set £ can be written as a disjoint union 
of singleton sets £fs, where each £, t contains exactly one function symbol in 
£. Inspired by the variable abstraction phase in the Nelson-Oppen method [ 14 ] 
and the idea of using constants as “names” of subterms [ 9 ], we first attempt 
to transform the set E of equations into a set of “pure” equations, i.e. , each 
equation is over some signature £i U K, where K is a set of new constants 
(names) introduced by variable abstraction, and shared between the individual 
theories. Each pure equation thus obtained is in a special form. 

Definition 1 . Let £ be a signature and I\ be a set of constants disjoint from 
£. By a D-rule (with respect to £ and K) we mean a rewrite rule of the form 

f(c 1, ...,Ck)->Co 

where f € £ and Co, Ci, . . . , Cfc are constants in K. 

An equation c — ► d, where c and d are constants in K, is called a C-rule 
(with respect to I\ ). An undirected equation c~dis called a C-equation. 

Rewrite rules of the form /(ci, . . . , Ck ) — > f(di , . . . , df), where f £ £ac > and 
Ci, • • • , Cfc, d\, ■ ■ • , di € I \ , will be called AC -rules. 

Each D- and AC-rule is over exactly one signature £i U K. The C-rules are 
equations over every signature £i U K . 

For example, let £ consist of function symbols, a, b, c, / and g, (/ is AC) 
and let E 0 be a set of three equations /(a, c) ~ a, f(c,g(f(b,c))) ~ b and 
g(f(b,c)) « f(b,c). Viewing £ as the disjoint union of signatures £\ = {a}, 
£2 = {6}, £3 = {c}, £4 = {/} and £5 = {g}, we can introduce new constants 
K = {co, Ci, C2, C3, C4} so that each equation (or rule) is over some T) U K. 
Therefore, if we let 

Di = {a ci, b -A c 2 , c — > c 3 , /(C2, c 3 ) -4 c 4 , g(c 4 ) -> c 5 }, 

then, using these rules we can simplify the original equations in E 0 to obtain the 
new set E x = {/(c i,c 3 ) « c 4 , /(c 3 ,c 5 ) w c 2 , c 5 w c 4 }. 

Definition 2. Let R be a set of D -rules, C-rules and AC-rules (with respect to 
£ and K ). We say that a constant c in K represents a term t in T(LU K) (via 
the rewrite system R) if * ~^*AC\R e C ' A term t is also said to be represented by 
R if it is represented by some constant via R. 

For example, the constant c 4 represents the term /(c, b) via D\. 

Definition 3 . Let £ be a signature and I\ be a set of constants disjoint from 
£ . A ground rewrite system R = A e U D e U C is said to be an associative- 
commutative congruence closure ( with respect to £ and K ) if 
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(i) D is a set of D -rules, C is a set of C -rules, A is a set of AC -rules, and if 
a constant c € K is in normal form with respect to R, then c represents at least 
one term t £ T(E) via R, and 

(ii) AC\R is a ground convergent modulo AC over T{E U K). 

In addition, if E is a set of ground equations overT(E) such that, 

(Hi) If s and t are terms over T{E) , then s £>acu E t if, and only if, s ~^ac\r 
° ^ ac ° *AC\R 

then R will be called an associative-commutative congruence closure for E. 

When Sac is empty this definition specializes to that of an abstract congru- 
ence closure [3]. 

For instance, the rewrite system D\ U E\ above is not a congruence closure 
for Eq, as it is not a ground convergent rewrite system. But we can transform 
D\ UEi into a suitable rewrite system, using a completion-like process described 
in more detail in the next section, to obtain a congruence closure (Example 4), 



R' = {a -A ci, b ->• c 2 , c -A c 3 , fc-2.cs -A c 4 , /c 3 c 4 -A c 2 , /c 4 c 3 -A c 1; 
fc 2 c 2 -A /c 4 c 4 , fcic 2 -A /c 4 c 4 , gc± -A c 4 } 

that provides a more compact representation of Eq. Note that the constant c 4 
represents infinitely many terms via R' . 

3 Construction of Congruence Closures 

The completion procedure is obtained by putting together completion procedu- 
res over individual signatures T) U K. Clearly, there are two distinct cases that 
need to be combined: when /,; £ Ej is AC, and when it is not. The individual 
completion procedures working on equations in Ei U K need to exchange equati- 
ons between constants in K that are generated during the completion procedure. 
For this purpose, we choose an ordering in which the only terms smaller than a 
constant in K are other constants in K . 

Let U be a set of symbols from which new names (constants) are chosen. We 
need a (partial) AC-compatible reduction ordering which orients the D-rules in 
the right way, and orients all the C- and AC-equations. The precedence-based 
AC-compatible ordering >- of [18], with any precedence in which f >~s\ju c, 
whenever f £ E and c £ U, serves the purpose. However, much simpler partial 
orderings would suffice too, but for convenience we use the ordering in [18]. In 
our case, this simply means that, orientation of D-rules is from left to right. 
Additionally, the orientation of an AC-rule will be given by: /(c 4 , . . . , c,;) >- 
/(ci, . . . , c') iff either i > j, or i — j and (ci, . . . , c,} y mult c' }, i.e. , if 

the two terms have the same number of arguments, we compare the multisets of 
constants using a multiset extension >~ mult of the precedence y^uu, see [7]. 

We next present a general method for construction of associative-commu- 
tative congruence closures. Our description is fairly abstract, in terms of transi- 
tion rules that operate on triples ( K,E,R ), where K is a set of new constants 
that are introduced (the original signature E is fixed); £ is a set of ground 
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equations (over E U K) yet to be processed; and R is a set of C-rules, D-rules 
and AC-rules. Triples represent possible states in the process of constructing a 
closure. The initial state is (0, E, 0), where E is the input set of ground equations. 



Abstraction 



New constants are introduced by the following transition. 



Extension: 



(K,E[f( Cl ,...,c k )],R) 

( K U {c}, E[c),R U {/(ci, ■ • • , c fe ) -t c}) 



where / £ E\ c \, . . . , Ck are constants in K\ f(ci , . . . , Ck) is a term occurring in 
(some equation in) E; c E U K: and, either / ^ Eag, or, /(ci, . . . , Cfc) occurs 
as a proper subterm of a flattened term, or, it occurs as one side of an equation 
in which the top function symbol at the other side is some g ^ f. 

Once a D-rule /(ci, . . . , c&) — > c has been introduced by extension, it can be 
used to eliminate any other occurrence of /(ci, . . . , c&) using the following rule. 



Simplification: 



(K,E[s],R) 
( K,E[t],R ) 



where s occurs in some equation in E, and, s — > AC\R e t- 

We will also use flattening to replace a term in E or R by its corresponding 
flattened form. 



Deduction 



It is fairly easy to see that any equation in E can be transformed to a C- or a 
AC-equation by suitable extension, flattening and simplification. Once we have 
obtained rules that contain terms only from a specific signature E.i U K , we can 
perform deduction steps on the separate parts. 

In the case when /) £ E \ is an AC-symbol we use AC-superposition wherein 
we consider overlaps between extensions of AC-rules. 



ACSuperposition: 



(K,E,R) 

(A', E U {/(s, xa) « f(t, ya)}, R) 



if / £ Eac , there exist D- or AC-rules /(ci, . . . , Ck) s and f(di, . .. ,di) t 
in R, substitution a is a most-general unifier modulo AC of f(c\, . . . , c*,, x) and 
f(di , . . . , di, y) 3 and {ci, . . . , c k } 0 {rfi, . . . , di} ± 0. 

In the special case when one multiset is contained in the other, we obtain the 
AC-collapse rule. 



AC Collapse: 



(AT, E , R U {t — ► s}) 
(AT, E U {t' w s}, R) 



3 For the special case in hand, there is exactly one most general unifier modulo AC, 
and it is easy to compute. 
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if for some u -A v € R, t ->Ac\{«-M)} e t'i and if t -SA^ C u then s >- v. 

In case of rules that clo not contain A(7-symbols at the top, superposition 
reduces to simplification, and hence AC-collapse also captures such superposi- 
tions. Note that we do not explicitly add AC extensions of rules to the set R, 
and so any rule in R is either a (7-rule, or a E-rule, or an A(7-rules, and not its 
extension. We implicitly work with extensions in AC-superposition. 



Orientation 



Equations are moved from the E-component of the state to the A-component 
by orientation. All rules added to the E-component are either (7-rules, E-rules 
or A (7-rules. 



Orientation: 



{K,E\J{s&t},R) 
(A', f}) 



if s >- t, and, s — > t is either a E-rule, or a (7-rule, or a AC-rule. 
Deletion allows us to delete trivial equations. 



Deletion: 



{K,EU{s^t},R) 

(K,E,R) 



if S <r+* AC t- 



Simplification 



We need additional transition rules to incorporate interaction between the indi- 
vidual completion processes. In particular, (7-rules can be used to perform sim- 
plifications on the left- and right-hand sides of other rules. The use of (7-rules to 
simplify left-hand sides of rules is captured by AC-collapse. The simplification 
on the right-hand sides is subsumed by the following generalized composition 
rule. 



Composition: 



(AT, £,UU{t-> s}) 
(A', £,EU{t->s'}) 



where s -A ac\R“ s'. 

Example 4 . Let E 0 = {/(a,c) « a, f(c,g(f(b,c ))) « b , g(f(b,c)) « f(b,c)}. We 
show below some intermediate stages of a derivation. 



i 


Constants K, 


Equations E t 


Rules Ri 


Transitions 


0 


0 


Eq 


0 




1 


{ci,c 3 } 


{fcgfbc « b, 
gfbc « fbc} 


{a — > ci,c—> c, 3 , 
/ciC 3 -A Cl} 


ExC o Simo 
Ori 


2 


ATi U {c 2 ,c 4 } 


{fcgfbc « b} 


Ri U {6 — > C 2 , 
fc 2 C3 -> c 4 ,gc 4 c 4 } 


Sim " 1 o Ext^o 
Sim o Ori 


3 


I<2 


0 


A 2 u {/c 3 c 4 -A c 2 } 


Sim 0 o Ori 


4 


l<2 


0 


A 3 u {/cic 2 -A /cic 4 } 


ACSup o Ori 


5 


I<2 


0 


A 4 u {/c 2 c 2 -A /c 4 c 4 } 


ACSup o Ori 
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The derivation moves equations, one by one, from the .©-component of the 
state to the ©-component through simplification, extension and orientation. It 
can be verified that the set ©5 is an AC congruence closure for Eq. Note that the 
side-condition in extension disallows breaking of an HC-rule into two ©-rules, 
which is crucial for termination. We assume that / is AC and c* >- Cj if t < j. 

4 Termination and Correctness 

Definition 5. We use the symbol b to denote the one- step transition relation 
on states induced by the above transition rules. A derivation is a sequence of 
states £0 b £1 b • • A derivation is said to be fair if any transition rule which 
is continuously enabled is eventually applied. The set ©oo of persisting rules is 
defined as U, fl Rj; and similarly, K 0 0 = Uj fl Kj. 

We shall prove that any fair derivation will only generate finitely many persi- 
sting rewrite rules (in the third component) using Dickson’s lemma [5]. Multisets 
over ©Too can be compared using the multiset inclusion relation. If Koo is finite, 
this relation defines a Dickson partial order. 

Lemma 6. The set of persisting rules ©oo in any fair derivation starting from 
state (0, E, 0) is finite. 

Proof. We first claim that K ^ is finite. To see this, note that new constants are 
created by extension. Using finitely many applications of extension, simplifica- 
tion, flattening and orientation, we can move all rules from the initial second 
component E of the state tuple to the third component ©. Fairness ensures that 
this will eventually happen. Thereafter, any equations ever added to E can be 
oriented using flattening and orientation, hence we never apply extension subse- 
quently (see the side condition of the extension rule). Let ©00 = {ci, . . . , c n j. 

Next we claim that ©oo is finite. Suppose, ©oo contains infinitely many rules. 
No transition rule (except extension) increases the number of D- and C-rules 
in EUR. Therefore, ©00 contains infinitely many HC'-rules, and since Sac 
is finite, one HC-operator, say / € Eac, must occur infinitely often on the 
left-hand sides of ©00 • By Dickson’s lemma, there exists an infinite chain of 
rules, /(cu,...,ci fcl ) -t s 0 , /(c 2 i, . . . , c 2 k 2 ) -t Si, ..., such that {cn, ..., ci fel } C 
{c2i, . . . , C2k 2 } Q •••, where {c,i, . . . , c^} denotes a multiset and C denotes 
multiset inclusion. But, this contradicts fairness (in application of AC-collapse) . 



Proof Ordering 

The correctness of the procedure will be established using proof simplification 
techniques for associative-commutative completion, as described by Bachmair [1] 
and Bachmair and Dershowitz [2]. In fact, we can directly use the results and 
the proof measure from [2] . However, since all rules in © have a special form, we 
can choose a simpler proof ordering. 
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Let s = s [ua\ -o- s[z«r] = t be a proof step using the equation (rule) u ~ v G 
AC UEUR. The complexity of this proof step is defined by 

({s,t},±,±) if u~v£E ({s},_L,f) if u s=s v € AC 

({s},it, t) if u —> v £ R ({f},u, s) if v —> u £ R 

({s},_L,t) if u — ^ v C R e — R ({f},_L,s) if v u € R e — R 

where _L is a new symbol. Tuples are compared lexicographically using the mul- 
tiset extension of the reduction ordering >- on terms over E U Koo in the first 
component, and the ordering >- on the second and third component. The con- 
stant _L is assumed to be minimum. The complexity of a proof is the multiset of 
complexities of its proof steps. The multiset extension of the ordering on tuples 
yields a proof ordering, denoted by the symbol >~p . The ordering p on proofs 
is well founded as it is a lexicographic combination of well founded orderings. 

Lemma 7. Suppose ( I\,E,R ) b ( K',E',R '). Then, for any two terms s,t G 
T(E), it is the case that s <->acue'ur' i iff s ^*acueur t- F ur th er > if n is a 
ground proof, so si f> ••• f> Sk, in AC U E U R, then there is a proof n' , 
so = So ** s i ^ ^ s i = s k, in AC U E 1 U R' such that ir y-p i r'. 

The first part of the lemma, which states that the congruence on T(E) re- 
mains unchanged, is easily verified by exhaustively checking it for each tran- 
sition rule. For the second part, one needs to check that each equation in 
(E — E') U (R — R') has a simpler proof in E' U R! U AC for each transition 
rule application, see [2]. Note that extensions of rules are not added explicitly, 
and hence, they are never deleted either. Once we converge to Roo, we introduce 
extensions to take care of cliffs in proofs. 

Lemma 8. If R^ is a set of persisting rules of a fair derivation starting from 
the state (0, E, 0), then, R^ is a ground convergent (modulo AC ) rewrite system. 
Furthermore, E ^ = 0. 

Proof. (Sketch) Fairness implies that all critical pairs (modulo AC) between 
rules in are contained in the set U tEi. Since a fair derivation is non failing, 
Eoo = 0. Since the proof ordering is noetherian, for every proof in Ei U Ri U AC, 
there exists a minimal proof 7r in E^ U Roo U AC. The minimal proof tt in 
Roo U AC can be further transformed to a minimal proof n' in R^ U AC by 
eliminating cliffs arising from proper overlaps between AC-rules and i^^-rules. 

The proof n' is a rewrite proof. This follows from observing that n' does not 
contain any non-overlap, variable overlap, cliff or a peak. Any such pattern can 
be replaced by a smaller proof pattern, thus contradicting the minimality of the 
proof 7 r. The details are similar, though much simpler in our special case, to 
those presented in [2]. 

Using Lemmas 7 and 8, we can easily prove that: 

Proposition 9. Let Roo he the set of persisting rules of a fair derivation starting 
from state (0,i?,0). Let s,t € T(E). Then s ^euac t iff s ~^*AC\R e ° ac 
o 4 — *Ac\R e Furthermore, the set R^ is an associative- commutative congruence 

closure for E. 
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Since is finite, there exists a k such that i?oo C Rk • Though there exist 
non-terminating fair derivations, we can still identify the finite set of persisting 
rules if we eagerly apply AC-collapse before any application of AC-superposition 
at any point after stage k. 

Example 10. Let us describe one interesting example. Consider the initial set of 
equations E 0 = { f(a, b) « b , g(b) w /(a, a), f(b, g(f(a, a, b ))) « c}. Let f be an 
A C-symbol . We show some of the intermediate states of a fair derivation below: 



i 


Constants A) 


Equations E t 


Rules II, 


0 


0 


E 0 


0 


1 


{ci,c 2 } 


{gb « faa, fbgfaab w c} 


{a ci, b-> c 2 , /cic 2 -> c 2 } 


2 


{ci,C 2 ,C 3 } 


{fbgfaab w c} 


Ri U {gc 2 -> c 3 , /cici ->• c 3 } 


3 


{ci,C 2 ,C 3 } 


{fbgfaab w c} 


^2 U {/c 2 c 3 -> c 2 } 


4 


{ci,c 2 ,c 3 } 


0 


i ?3 U {c — >■ C 2 } 



Note that since we applied AC-superposition in step 3 before simplifying the last 
equation in E, we avoided introducing a lot of new names. 

5 Optimizations 

Certain optimizations can be incorporated into the basic set of transition rules 
given above for computation of congruence closures. A lot of inferences can be 
avoided if we note that we do not need to consider extensions of all rules that 
have an AC symbol on top of their left-hand sides (for the purpose of critical pair 
computations). For example, we need not consider extensions of those D-rules 
that are created by extension to name a proper subterm in E. This fact can be 
easily incorporated using constraints, but we chose not to show it here for the 
sake of simplicity and clarity. Rather than formalizing this completely here, we 
illustrate this with an example below. 

Example 11. Again suppose that the initial set of equations E 0 is: {f(a,b) « 
b, gib) « f{a,a), f(b,g(f(b,g(f(a,a,b))))) « c}. If we choose to first apply 
extension and simplification until all the initial equations can be oriented using 
orientation, then, we will generate the following set of eleven D-rules: 

a — > ci b — > ci fciC 2 -> C 2 fcici -» C 3 

gc2 -» c 3 f c 3 c 2 c 4 gc 4 -t c 5 /c 2 c 5 ->• c 6 

gc 6 ->■ c 7 /c 2 c 7 ->• c 8 c ->• c 8 

Now, note the huge number of possible AC-superpositions. However, we need not 
consider all of them. In particular, we need to consider extensions only of three 
rules: /cic 2 — ► c 2 , fc\C\ — > c 3 , and /c 2 c 7 — > eg, and hence, AC-Superpositions 
between only these. 

Secondly, note that, we can choose the ordering between two constants in 
K on-the-fly. As an optimization we could always choose it in a way so as to 





Congruence Closure Modulo Associativity and Commutativity 255 



minimize the applications of AC-collapse and composition later. In other words, 
when we need to choose the orientation for c ~ d, we can look at the number 
of occurrences of c and d in the set of D- and AC-rules (in the -R-coiriponent of 
the state), and the constant with fewer occurrences is made larger. 

6 Construction of Ground Convergent AC Rewrite 
Systems 

We next discuss the problem of obtaining a ground convergent AC rewrite system 
for the given ground AC-theory in the original signature. Hence, now we focus our 
attention to the problem of transforming a convergent system over an extended 
signature to a convergent system in the original signature. If we can successfully 
achieve this goal, it would mean that we can do ground AC-completion without 
having an AC-compatible ordering. 

In the case when there are no AC-symbols in the signature, we can construct 
ground convergent systems from any given abstract congruence closure. This 
gives an indirect way to construct ground convergent systems equivalent to a 
given set of ground equations. However, we run into problems when we use 
the same method for translation in presence of AC-symbols. Typically, after 
translating back, the set of rules one gets is usually non-terminating modulo AC 
(Example 12). But if we suitably define the notion of AC-rewriting, the rules 
are seen to be convergent in the new definition. This is useful in two ways: (i) 
the new notion of AC-rewriting seems to be more practical, in the sense that it 
involves strictly less work than a usual AC\R e reduction [6]; and, (ii) it helps 
to clarify the advantage offered by the use of extended signatures when dealing 
with a set of ground AC-equations. 

Transition Rules 

We describe the process of transforming a rewrite system R over an extended 
signature £ U K to a rewrite system R over the original signature £ by transfor- 
mation rules on states ( K,R ), where K is the set of constants to be eliminated, 
and R is a set of rewrite rules over £ U K to be transformed. 

Constants in K that occur as a left-hand side of some rule in R are called re- 
dundant in R. Redundant constants can be easily eliminated by the compression 
rule. 

(K U {c}, R U {c — » f}) 

Compression: 

(K,R') 

if R 1 is obtained from R by replacing all occurrences of c in R by t. 

The basic idea for eliminating a constant c that is not redundant in R involves 
picking a representative term t (over the signature £) in the equivalence class 
of c, and replacing c by t everywhere in R. The selection rule achieves this. 

( K U {c}, R U {t — > c}) 



Selection: 



(K,R') 
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where c is not redundant in R, t £ T(E), R' is the set {la — > ra : l r £ 
P} u -> f(f(ti,...,t k ),X) : t = f(h, ...,t k ) and f £ S AC }, 

and a is the substitution {c H > t}. After applying the substitution, we do not 
flatten terms. The variable X is a special variable and its role will be be discussed 
later. 

Example 12. Consider the problem of constructing a ground convergent system 
for the set E 0 of Example 4. A fully-reduced congruence closure for E 0 is given 
by the set i?o 

a — > Ci b — > C2 c — > C3 /C2C3 —> C4 

/C3C4 -> C 2 /C1C3 Ci /C 2 C 2 ->• /C4C4 /ciC 2 -» /C1C4 

gci c 4 

under the ordering c 2 >~ C4 between constants. For the constants Ci , c 2 and C3 
we have no choice but to choose a, b and c as representatives respectively. Thus 
after three applications of selection, we get 

fcc.4, — > b fac — > a fbb — > /C4C4 fab —> fac 4 

fbc — > C4 gC4 — > C4 

Next we are forced to choose fbc as the representative for the class C4. This gives 
us the transformed set R\, 

fc(fbc) ->• b fac^t a fbb -> f(fbc)(fbc) fab -> fa(fbc) 

fbcX f{fbc)X gfbc -)■ fbc 

The relation — >ac\ri is clearly non-terminating (with the variable X considered 
as a regular term variable). 



Rewriting with Sequence Extensions Modulo Permutation 
Congruence 

Let X denote a variable ranging over sequences of terms. A sequence substitution 
a is a substitution that maps variables to the sequences. If cr is a sequence 
substitution that maps X to the sequence (s\ , . . . , s' m ), then /(s 1, . . . , s k , X)a 
is the term f(ti, . . . ,s k ,s[, . . . , s' m ). 

Definition 13. Let p be a ground rule of the form f{t\, ...,t k ) g(s 1, . . . ,s m ) 
where f £ Eac- We define the sequence extension p s of p as, /(iy, . . . , t k , X) —>■ 
f(si, • • • , s m , X) if f = g and, f(t ly . . . ,t k ,X) ->■ f(g(s 1 ,...,s m ),X) if f ± g. 

Now we are ready to define the notion of rewriting we use. Recall that P 
denotes the equations defining the permutation congruence, and that AC = 
FUP. 

Definition 14. Let R be a set of ground rules. For ground terms s,t £ T(E), we 
say that s —>p\t i* t if there exists a rule l — ► r £ R s and a sequence substitution 
a such that s = C[l'\, l' Hp la and r' = ra. 
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Note that the difference with standard rewriting modulo AC is that instead 
of performing matching modulo AC, we do matching modulo P. For example, 
if p is fac — > a, then the term f(f(a,b),c) is not reducible by — >p\ p », although 
it is reducible by ~^AC\p e - The term /(/(a, b), c, a) can be rewritten by — >p\ p s 
to /(/(a, b), a). 

Example 15. Following up on Example 12, we note that the relation P\R{ is 
convergent. For instance, a normalizing rewrite derivation for the term fabc is, 

fabc -^p\r° fa(fbc)c ~^p\r* fab ~^p\ri fa(fbc). 

On closer inspection, we find that we are essentially doing a derivation in the 
original rewrite system Rq (over the extended signature). 

fabc -Ap\RB /C1C2C3 -Ap\RB /C1C4C3 -Ap\RB fdC2 -Ap\RB fc\C±. 

There is a one-to-one bijection between a step using P\R\ and a step using 
P\R%. This essentially is at the core of the proof of correctness, which we now 
state without proof. 

Theorem 16. //(0,l?oo) is the final state of a maximal derivation starting from 
state ( K,R ), where R is a fully-reduced AC-congruence closure, then -Ap\rs^ 
is ground convergent on all fully flattened terms over E. The equivalence over 
flattened T(E) terms defined by this relation is the same as the equational theory 
induced by RA AC over flattened T(E) terms. 

Note that in the special case when Sag is empty, the notion of rewriting 
corresponds to the standard notion, and hence Roo is convergent in the standard 
sense by this theorem. 

7 Conclusion 

The fact that we can construct an AC-congruence closure implies that the word 
problem for finitely presented ground AC-theories is decidable, see [11], [13] 
and [8]. Note that we arrive at this result without assuming the existence of an 
AC-simplification ordering that is total on ground terms. The existence of such 
AC-simplification orderings was established in [13], but required a non-trivial 
proof. 

Since we construct a convergent rewrite system, even the problem of de- 
termining whether two finitely presented ground AC-theories are equivalent, is 
decidable. Since commutative semigroups are special kinds of AC-theories, where 
the signature consists of a single AC-symbol and a finite set of constants, these 
results carry over to this special case [12], [10]. 

We have shown that we can construct an AC-congruence closure for a finite 
set E of ground equations (over a signature E containing AC-symbols) using 
procedures that construct such closures for finitely presented commutative se- 
migroups. In fact the number of invocations of the latter procedure is bounded 
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above by n\£\, where n denotes the size of set E, and \£\ denotes the cardina- 
lity of the set £. This establishes that the word problem for ground AC-theories 
is no more difficult than the word problem for finitely presented commutative 
semigroups (modulo a polynomial time factor). 

The idea of using variable abstraction to transform a set equations over se- 
veral AC-symbols into a set of equations in which each equation contains exactly 
one AC-symbol appears in [8]. All equations containing the same AC-symbol are 
separated out, and completed into a canonical rewriting system (modulo AC) 
using the method proposed in [4]. However, the combination of ground AC- 
theories with other ground theories is done differently here. In [8], the ground 
theory (non-AC part) is handled using ground completion (and uses an recur- 
sive path ordering during completion). We, on the other hand, use a congruence 
closure. The usefulness of our approach can also be seen from the simplicity of 
the correctness proof and the results we obtain for transforming a convergent 
system over an extended signature to one over the original signature. 

The method for completing a finitely presented commutative semigroup 
(using what we call AC-rules here) has been described in various forms in the 
literature, e.g. [4]) 4 . It is essentially a specialization of Buchberger’s algorithm 
for polynomial ideals to the case of binomial ideals (i.e. when the ideal is defined 
by polynomials consisting of exactly two monomials with coefficients +1 and 

-I)- 
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Abstract. In this paper we extend the applicability of our combination 
method for decision procedures for the word problem to theories sha- 
ring non-collapse-free constructors. This extension broadens the scope 
of the combination procedure considerably, for example in the direction 
of equational theories axiomatizing the equivalence of modal formulae. 



1 Introduction 

The word problem for a theory E is concerned with the question of whether 
two terms are equal in all models of E. In [4] we provided modular decidability 
results for the word problem in the case of unions of equational theories with 
possibly non-disjoint signatures, subsuming previous well-known results on the 
decidability of the word problem for the union of equational theories with disjoint 
signatures [12,11,13]. Our results were achieved by assuming that the function 
symbols shared by the component theories were constructors in a appropriate 
sense. 

The notion of constructors presented in [4] was modeled after one first in- 
troduced in [14], and generalized that in [5]. Its formulation is based on the 
observation that some equational theories are such that the reducts of their 
free models to a subset E of their signature are themselves free. We would call 
constructors the symbols in E. The actual definition in [4], however, incorpo- 
rated the restriction that the equational theory of the constructors had to be 
collapse-free. 1 This restriction was essentially technical, as it was used to provide 
a syntactic characterizations of the generators of the free Z-reducts in terms of 
a certain set G of terms, which was then utilized in various proofs in the paper. 

In the present paper, by using a more general way of defining the set G above, 
we remove the collapse-freeness restriction and show that all the combination 
results given in [4] continue to hold without it. 

* Partially supported by the EC Working Group CCL II. 

** Partially supported by the National Science Foundation grant no. CCR-99-72311. 

1 In other words, no non-variable term over the constructor symbols could be equi- 
valent in E to one of its variables. 
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In [4] we used a rule-based procedure for combining in a modular way a 
procedure deciding the word problem for a theory Ei and a procedure deciding 
the word problem for a theory E 2 into a procedure deciding the word problem for 
the theory E\ IJ E- 2 - As mentioned, the main requirement was that the symbols 
shared by E\ and E 2 were constructors for each of them. In this paper, we 
obtain the generalized combination results by using a proper modification of the 
procedure, which does not rely anymore on the assumption that the constructor 
theory is collapse-free. 

The net effect of lifting the collapse-freeness restriction is a considerable 
expansion of the scope of our combination results. A lot more equational theories 
obtained as a conservative extension of a core 17-theory are now such that if is a 
set of constructors for them. Which means, potentially, that a lot more theories 
built as conservative extensions of a same 17-theory can be combined with our 
method. 2 

One particularly interesting class of such theories includes the equational 
axiomatizations of some (propositional) modal logics, on which we give more 
details in Sect. 2.2. A fair amount of research has been done on the combination 
of modal logics. We believe that our results for the word problems can now be 
used to contribute to this research by recasting the combination of two modal 
logics as the union of their corresponding equational theories. However, we have 
not yet had the time to explore these possibilities in more depth. We are working 
on this in a joint project with modal logicians. 

For now, we present and discuss our generalized notion of constructors, and 
provide some examples of theories admitting constructors in the new sense but 
not in the old one, including an equational theory corresponding to a modal logic. 
Then, we describe the modified version of the combination procedure, provide 
a sketch of its correctness proof, and show how that leads to exactly the same 
results given in [4], but of course with the wider scope provided by the new 
definition of constructors. Because of space limitations, we refer the reader to 
the longer version of this paper [3] for detailed proofs of our results. 

2 Word Problems and Satisfiability Problems 

We will use V to denote a countably infinite set of variables, and T(f2,V) to 
denote the set of all C2-terms, that is, terms over the signature 17 with variables in 
V . An equational theory E over the signature 17 is a set of (implicitly universally 
quantified) equations between 17-terms. We use s = t to denote an equation 
between the terms s, t. For an equational theory E, the word problem is concerned 
with the validity in E of equations between 17-terms. Equivalently, the word 
problem asks for the (un)satisfiability of the disequation s ^ t in E — where 
s ^ t is an abbreviation for the formula ->(s = t). As usual, we write “s =e t” 
to express that the formula s = t is valid in E. An equational theory E is 
collapse-free iff x t for all variables x and non- variable terms t. 

2 The qualification “potentially” is mandatory, of course, because we still need to 
impose some additional computability requirements on the theories to combine. 
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Given an /2-term s, an J7-algebra A, and a valuation a (of the variables in s 
by elements of A), we denote by [s];£ the interpretation of s in A under a. Also, 
if A is a subsignature of /2, we denote by A s the reduct of A to A. An /2-algebra 
A is a model of E iff every equation in E is valid in A. The equational theory 
E over the signature /2 defines an 12-variety, i.e. , the class of all models of E. 
When E is non-trivial , i.e., has models of cardinality greater than 1, its variety 
contains free algebras for any set of (free) generators. If A is a free algebra in 
E' s /2-variety with a set X of generators we say that A is free in E over X. 

We are interested in combined equational theories, that is, equational theories 
E of the form E := E\ U E%, where E\ and E 2 are equational theories over two 
signatures £\ and £ 2 • We call the elements of £ := £\ fl £ 2 , if any, shared 
symbols. We call 1-symbols the elements of £\ and 2-symbols the elements of 
£ 2 . A term t £ T{£ 1 U £ 2 , V) is an i-term iff its top symbol t(e) £ V U A). 
Note that variables and terms t with t(e) £ £\ fl A 2 are both 1- and 2-terms. A 
subterm s of a 1-term t is an alien subterm of t iff it is not a 1-term and every 
proper superterm of s in t is a 1-term. Alien subterms of 2-terms are defined 
analogously. A term over the joint signature £\ U £2 is called a shared term if 
it is a A-term, and a pure term if it is a A,-term for i £ {1,2}, Similarly, an 
equation s = t is a pure equation if s and t are both Aj-terms for i £ {1, 2}. 

A given disequation s ^ t between (Ai U A 2 )-terms s,t can be transformed 
into an equisatisfiable formula <pi/\ip 2 , where ipi is a conjunction of pure equations 
and disequations. This can be achieved by the usual variable abstraction process 
in which alien subterms are replaced by new variables (see the long version of 
[4] for a detailed description). Obviously, if A ^2 is satisfiable in a model A 
of E\ UE 2 , each ifi is then satisfiable in the reduct A Si , which is a model of Ei 
(i = 1,2). However, if each cpi is satisfiable in a model Ai of Ei, there may be no 
model of E in which p>\ A p >2 is satisfiable. One case in which there always is one 
is described by the proposition below (see the long version of [4] for a proof). 

Proposition 1. Let Ai be a model of E^, ipi a first-order £i -formula (i = 1,2), 
and A := Ai fi A 2 . Assume that A\ S and A 2 S are both free in the same £- 
variety over respective sets of generators Y\ and I 2 with the same cardinality. 
If tfii is satisfiable in Ai with the variables in Var{ip\) fl Var{ip 2 ) taking distinct 
values over Yi for i = 1,2, then ip± A </?2 is satisfiable in a model of E\ U £ 2 . 

As mentioned in the introduction, we will be interested in free models of E\ 
and of E 2 whose reducts to their shared signature are themselves free. In general, 
the property of being a free algebra is not preserved under signature reduction. 
The problem is that the reduct of an algebra may need more generators than 
the algebra itself and these generators need not be free. Nonetheless, there are 
free algebras admitting reducts that are also free, although over a possibly larger 
set of generators. These algebras are models of equational theories that admit 
constructors in the sense defined in the next subsection. 
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2.1 Theories Admitting Constructors 

In the following, 17 will be an at most countably infinite signature, and A a 
subset of 17. We will fix a non-trivial equational theory E over 17 and define the 
£ -restriction of E as E s := {s = t \ s,t € T(£,V) and s =e t}. 

Definition 2 (Constructors). The subsignature £ of 17 is a set of construc- 
tors for E if for every fl-algebra A free in E over a countably infinite set X, 
A s is free in E s over a set Y including X. 

As we will see, this new definition of constructors is a proper generalization 
of the definition given in [4], which also requires E s to be collapse-free. Contrary 
to the one above, that definition does not require the generators of A s to include 
those of A\ but this is always the case when E s is collapse-free. 

It is immediate that the whole signature 17 is a set of constructors for the 
theory E. Similarly, the empty signature is a set of constructors for E, as 
any model of E is free over its whole carrier in E® , which is axiomatized by 
(u = v | v £ V}. If E is the union of two theories over disjoint signatures, £i , £2 
respectively, then each A* is a set of constructors for E. This is not immediate, 
but it can be shown as a consequence of some results in [2] . 

In the following, we provide a more concrete, syntactic characterization of 
theories admitting constructors. For that we will introduce the concept of a 
£-base. But first, some more notation will be needed. 

Given a subset G of T(S 7, V), we denote by T(£,G) the set of terms over 
the “variables” G. More precisely, every member t of T(£,G) is obtained from 
a term s £ T(A, V) by replacing the variables of s with terms from G. We will 
denote such a term t by s( f) where f is the tuple made, without repetitions, of the 
terms of G that replace the variables of s. Notice that this notation is consistent 
with the fact that G C T(£,G). In fact, every r £ G can be represented as 
s(r) where s is a variable of V. Also notice that T(£,V) C T(£,G) whenever 
V C G. In this case, every s £ T(£,V) can be trivially represented as s(u) 
where v are the variables of s. 

Definition 3 (A-base). A set G C T(S 7, V) is a A-base of E iff the following 
holds: 

1. VCG. 

2. For all t € T(f2,V), there is an s(r ) £ T( A, G) such that t =e s(f). 

3. For all si(ri), s 2 (f 2 ) £ T(£,G), 

si(ri) = E s 2 (r 2 ) iff si(ui) =e s 2 (u 2 ), 

where v \ , v 2 are fresh variables abstracting f 1 , r 2 so that two terms in f 1 , r 2 

are abstracted by the same variable iff they are equivalent in E. 



Theorem 4 (Characterization of constructors). The signature £ is a set 

of constructors for E iff E admits a A -base. 
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The proof of the theorem — which can be found in [3]— provides a little more 
information than stated in the theorem. 

Corollary 5. Let G be a E-base of E, A an fi- algebra free in E over a countably 
infinite set X, and a a bijective valuation ofV onto X. Then A s is free in E s 
over the set Y := {[[rj^ ] r £ G}, and ICY, 

An interesting question is whether the condition that XC Yin the definition 
of constructors is really needed. Does this condition always hold whenever the 
27-reduct of any algebra A free in E over the countably infinite set X is itself 
free? It can be easily shown that A s can be free in E s only over a set Y that is 
countably infinite. The question is: can Y always be chosen so that it includes 
XI When E s is collapse- free, Y is unique and it does include X, so one needs 
not worry [4]. When E e is not collapse- free, however, A s may be free in E s 
over more than one set of generators, not all of which include X. 

For instance, consider the 17-theory E := {g(g{ x)) = x} and let E := 17. Let 
A be an 17-algebra free in E over some set X and a a bijective valuation of V 
onto X. It is easy to see that A, which is free in E s over X of course, is also 
free over the set {[.g(u)]]„ | v £ V}, disjoint from X. Now, this example causes 
no problems because one can always choose Y := X in this case. For the general 
case, however, the question remains open. 

As shown in Cor. 5, a 27-base of a theory E really denotes the set of free 
generators of a certain free model of E s . Clearly, there may be many 17-bases 
for the same theory E. For instance, if G is a 27-base of E, any set obtained 
from G by replacing one of its terms by an i7-equivalent term is also a 17-base 
of E. Also, for any bijective renaming tt of V onto itself, the set {7r(r) | r £ G} 
is a 17-base of E as well. 

One may wonder then if it is possible for E to have 17-bases that are not just 
syntactic variants of one another. We know that this is not possible when E s 
is collapse- free. In that case in fact, all 17-bases, if any, denote the unique set 
Y over which the 27-reduct of the infinitely generated free model of E is free. 
As it turns out, then E has a 27-base Ge{E,V) which is closed under bijective 
renaming of variables and under equivalence in E, and as such includes all the 
27-bases of E. In [4] and [14], where the definition of constructors includes the 
requirement that E s be collapse- free, this maximal 27-base is defined as follows: 

Ge{E, V) := {r £ T(1 7, V) | r ^ e t for all t £ T(f2, V) with t(e) £ 27}. 

Modulo equivalence in E, Ge(E,V) is made of 17-terms whose top symbol is 
not in 27, from which it is immediate that Ge( 27, V) is closed under bijective 
renaming and under equivalence in E. To summarize, the following holds for 
G e {E,V) [4], 

Proposition 6. Whenever E s is collapse- free, 

— every E-base of E, if any, is included in Ge{E,V); 

— 27 is a set of constructors for E iff Ge(E, V) is a E-base of E. 
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Examples of theories admitting (collapse-free) constructors can be found in 
[4] . We provide below an example of an equational theory admitting non-collapse- 
free constructors, that is, constructors in the more general sense of Definition 2. 
But first, it is instructive to look at at least one counterexample. 

Let E := {f(g(x)) = f(f(g(x)))} and 17 := {/}. Since E s is clearly collapse- 
free, we know that every 17-base of E, if any, is included in the set G e (E,V) 
defined earlier. It is easy to see that Ge(E,V) = V U { g(t ) | t€ T{Q 1 V)\ 
and that conditions (1) and (2) of Definition 3 hold for Ge(E, V). However, 
condition (3) does not since f (g(x)) = E f(f(g(x))), although f(y) f(f(y)). 
In conclusion, E is not a set of constructors for E. 

Example 7. Consider the signature E := {0, s, p, — } and the equational theory E 
of the integers with zero, successor, predecessor, and unary minus, axiomatized 
by the equations: 

x = s (p(a;)), x = p(s(x)) 

—0 = 0, — s(x) = p(— x), —p(x)=s(—x), —{—x)=x. 

The signature E := {0,s, p} is a set of constructors for E. This is proven in [3] 
by showing that the set G := V U {— v \ v £ V} is a 17-base of E. 

Many more examples of theories with constructors can be found in the usual 
axiomatizations of abstract data types. In the next subsection, we point out ano- 
ther, perhaps less obvious, class of examples for which our combination approach 
could provide fresh insights and results. 

Normal Forms According to Definition 3, if a set G is a 17-base of E, every 
12-term t is equivalent in E to a term s(r) £ T(E,G). We call s(r) a G-normal 
form oft in E. 3 We say that a term t is in G-normal form if it is already of the 
form t = s(f) £ T(E,G). Because V C G, it is immediate that 17-terms are in 
G-normal form, as are terms in G. 

We will make use of normal forms in our combination procedure. In particu- 
lar, we will consider normal forms that are computable in the following sense. 

Definition 8 (Computable Normal Forms). For any E-base G of E we 
say that G-normal forms are computable for E and E if there is a computable 
function NF E : T(Q,V) — > T(E,G) such that NF E (t) is a G-normal form of 
t, i.e., NF§(t) = E t. 

Note that, unless E s is collapse-free, the terms of G may as well start with 
a 17-symbol themselves. This means that, for any given term t in G-normal 
form, it may not be possible to effectively identify those terms f of G such that 
t = s(f) for some 17-term s. Now, in the combination procedure shown in Sect. 3 
sometimes we will need to first compute the normal form of a term and then 
decompose that into its components s and f. To be able to do this it will be 
enough to assume (in addition to the computability of normal forms) that G is 
a recursive set, thanks to the proposition below. 

3 Notice that in general a term may have more than one G-normal form. 
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Proposition 9. Let G be a E-base of E and t € T(E,G). If G is recursive, 
there is an effective way of computing a term s(u) € T(E,V) and a sequence f 
of terms in G such that t = s(r). 



2.2 Constructors and Modal Logics 

For all normal modal logics [9] , equivalence of formulae is a congruence relation 
on formulae that is closed under substitution [9]. For example, consider the 
basic modal logic K. Here, the signature Ek contains the Boolean operators (A, 
V, -i), the Boolean constant T (for truth), and the unary (modal) operator □. 
Equivalence of formulae in K can be axiomatized [10] by the equational theory 
Ek, which consists of the equational axioms for Boolean algebras, and the two 
additional equational axioms 

□ (a; A y) = □(a;) A □(?/) and D(T) = T. 

It is easy to see that satisfiability (and validity) of modal formulae in K is deci- 
dable iff the word problem for E k is decidable. For example, a formula ip is valid 
iff ip =e k T. Since satisfiability in K is indeed decidable 4 the word problem for 
Ek is also decidable. 

The problem of combining modal logics has been thoroughly investigated 
(see, e.g., [6,8]). In particular, there are very general results on how decidability 
of the component logics transfers to their combination (called fusion in the lite- 
rature). We are interested in the question of whether these combination results 
can also be obtained within our framework for combining decision procedures for 
the word problem. This line of research appears to be promising for the following 
two reasons. 

First, it follows from results in [9] (Chap. 4.2) that equivalence in the fusion 
of two modal logics is axiomatized by the union of the equational theories axio- 
matizing equivalence in the component logics. In this union, the shared symbols 
are the Boolean symbols, i.e., A, V, and T. Since the axioms for Boolean 
algebras contain collapse axioms (e.g., x A x = x), it is clear that we will really 
need the generalized version of constructors introduced in this paper. 

Second, the requirement that the reduct of the free algebra to the shared 
symbols be free is always satisfied for modal logics closed under the Boolean 
operations A, V, and For example, let E be the subsignature of E^ that 
consists of A, V, and T. It is easy to show that the U-reduct Ak S of the E k- 
free algebra Ak over countably infinitely many generators is a countably infinite 
atomless Boolean algebra. Since the free Boolean algebra over countably infini- 
tely many generators is also a countably infinite atomless Boolean algebra, and 
since all countably infinite atomless Boolean algebras are known to be isomor- 
phic [7], we can deduce that the reduct Ak S is in fact free. For our combination 
method to apply, however, this is not sufficient. We need additional conditions; 
e.g., that normal forms are computable. Unfortunately, it is not even clear how 

4 In fact, it is a well-known PSPACE-complete problem. 
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a 17-base could look like in this case. This would depend on an appropriate cha- 
racterization of the generators of , which appears to be a non-trivial (and, 
to the best of our knowledge, not yet solved) problem. 

For this reason, we restrict our attention in the example below to a certain 
sublogic of K. Such a sublogic, which is not Boolean closed, is particularly inte- 
resting because the current combination results in modal logic are restricted to 
Boolean closed modal logics. 

Example 10. Let us consider just the conjunctive fragment of K. In equational 
terms, this amounts to restricting the signature £« to the subsignature £^ := 
{A, T, □} and consider only terms (i.e. , modal formulae) built over this signature. 

In [1], it is shown 5 that equivalence of such formulae is axiomatized by the 
theory E which consists of the axioms 

x A (y A z) = (x A y) A z, x Ay = y A x, x Ax = x, iAT eT 
a(xAy) = □(*) A □ (*/), Q(T) = T. 

We claim that £° := {A, T} is a set of constructors in our sense. In fact, the set 
G := {□"(«) | n > 0 and v € V} 

can be shown to be a i7 0 -base of E^- This is an easy consequence of the no- 
tion of concept-based normal form introduced in [ 1 ] and the characterization 
of equivalence proved in the same paper. The concept-based normal form of 
a formula is obtained by exhaustively applying the rewrite rules D(i A y) — > 
□ (a;) A D(y), m(T) — > T, x AT -ax, T A x -A x. It is easy to see that this 
normal form can be computed in polynomial time, and that any formula in nor- 
mal form is either T or a conjunction of elements of G. Thus, the concept-based 
normal form is also a G-normal form. Since the set G is obviously recursive and 
closed under variable renaming, the additional prerequisites (see below) for our 
combination approach to apply to E £ are satisfied as well. 

Interestingly, if we consider the conjunctive fragment of the modal logic S 4 
in place of K, we obtain a quite different behavior: the reduct of the free algebra 
to £° is not free (see [4]). This is surprising as, in the Boolean closed case, S 4 
behaves like K in the sense that the reduct of the corresponding free algebra is 
still free (for the same reasons as for K). 

2.3 Combination of Theories Sharing Constructors 

To conclude this section we go back to the problem of combining theories and 
consider two non-trivial equational theories E\, E 2 with respective signatures 
£±,£2 such that £ := £\ IT £2 is a set of constructors for Ei and for E 2 . 
Moreover, we assume that E\ E = £ 2 S ■ 

5 Note, however, that [1] employs description logic syntax rather than modal logic 
syntax for formulae. 
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For i = 1 , 2 , let Ai be a A^-algebra free in £) over some countably infinite 
set X,, and Kj := { [rj | r £ Gi} where Gi is any U-base of E, and any 
bijection of V onto X. t . From Prop. 1 and Cor. 5 , we then have the following: 

Proposition 11. Let p i,p>2 be two first-order formulae of respective signature 
Ei, £2- If Pi is satisfiable in Ai with the elements of Var(ip\) fl Var(ip2) taking 
distinct values over Yi for i = 1 , 2 , then pi A P2 is satisfiable in Ei U E2. 

An immediate consequence of this result is that the theory E\ U E2 above 
is non-trivial. To see that, since ip 1 and ip2 in the proposition are arbitrary 
formulae, it is enough to take both of them to be the disequation x ^ y between 
two distinct variables. 

In the rest of the paper we show that, under the above assumptions on E\ 
and E2, the combined theory Ei U E2 in fact has much stronger properties: 
whenever normal forms are computable for E and Ei (i. = 1 , 2 ) with respect to 
a recursive Tl-base closed under renaming, the decidability of the word problem 
is a modular property, as is the property of being a set of constructors. 

3 A Combination Procedure for the Word Problem 

In the following, we present a decision procedure for the word problem in an 
equational theory of the form E\ U E2 where each Ei is an equational theory 
with decidable word problem. Such a procedure will be obtained as modular 
combination of the procedures deciding the word problem for E\ and for E2 ■ We 
will restrict our attention to equational theories E\ , E2 that satisfy the following 
conditions for i = 1 , 2 : 

1. Ei is a non-trivial equational theory over the (countable) signature Ei.; 

2. £ := E 1 fl £2 is a set of constructors for Ei and Ei S = E2 E ; 

3. Ei admits a E-base Gi closed under bijective renaming of V; 

f. Gi is recursive and Gi-normal forms are computable for E and Ei; 

5. the word problem for Ei is decidable. 

As already mentioned, the word problem for E := E\ U E2 can be reduced 
to the satisfiability problem (in E) for disequations of the form so ^ to, where 
so, to are (£1 U X^-terms. By variable abstraction it is possible to transform 
any such disequation into a a set A 5 (so ^ to) consisting of pure equations and 
a disequation between two variables such that So ^ to and A 5 (so ^ to) are 
“equivalent” in a sense to be made more precise below. The set A 5 (so ^ to) is 
what we call an abstraction system. To define abstraction systems formally we 
will need some more notation. 

To start with, we will use finite sets of formulae in place of conjunctions of 
such formulae, and say that a set S of formulae is satisfiable in a theory iff the 
conjunction of its elements is satisfiable in that theory. Now, let T be a set of 
equations of the form v = t where v £ V and t £ T(E\ U £2, V ) \ V. The relation 
-< on T is defined as follows: (u = s) -< (v = t) iff v £ Var(s). 
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By -< + we denote the transitive and by -<* the reflexive-transitive closure 
of The relation -< is acyclic if there is no equation v = t in T such that 
(i> = t) -< + (v = t). 

Definition 12 (Abstraction System). A set {x ^ y} U T is an abstraction 
system with disequation x ^ y iff x,y £ V and the following holds: 

1. T is a finite set of equations of the form v = t where v € V and t £ 

(T(E u V)UT(E 2 ,V))\V; 

2. the relation -< on T is acyclic; 

3. for all (u= s), (v = t) € T, 

a) if u = v then s = t; 

b) if (u = s) -< (v = t) and s £ T(Ei, V) with i £ {1,2} then t ^ T(Ei, V). 

The above is a generalization of the definition of abstraction system in [4] 
in that now the right-hand side of any equation in T can start with a shared 
symbol. As before, Condition (2) implies that for all (u = s),(v = t) £ T, 
if (u = s ) -<* ( v = t) then u s/L Var(t); Condition (3a) implies that a variable 
cannot occur as the left-hand side of more than one equation of T ; Condition (3b) 
implies, together with Condition (1), that the elements of every -<!-chain of T 
have strictly alternating signatures (. . . , Ei, A 2 , Si, A 2 , ■ ■ ■ )• In particular, when 
E\ and A 2 have a non-empty intersection E, Condition (3b) entails that if 
(it = s) -< (v = t ) neither s nor t can be a A'-term: one of the two must contain 
symbols from Ei\E and the other must contain symbols from E 2 \ E. 

Proposition 13. The set S := ^ to) is an abstraction system. Further- 

more, where v is the tuple that collects all the variables in the left-hand side of 
an equations of S, the formula 3 v.S ■£>■ (so ^ to) is logically valid. 

Every abstraction system {x ^ y} U T induces a finite graph Qs '■= (T, -<) 
whose set of edges consists of all pairs (ni,n 2 ) £ T x T such that ri\ -< n 2 . 
According to Definition 12, Qs is in fact a directed acyclic graph (or dag). Assu- 
ming the standard definition of path between two nodes and of length of a path 
in a dag, the height h(n) of the node n is the maximum of the lengths of all the 
paths in the dag that end with n. e 

In the previous section, we would have represented the normal form of a term 
in T(Ei, V) (i = 1, 2) as s(q) where s was a term in T(E, V) and q a tuple of 
terms in G,;. Considering that G* contains V, we will now use a more descriptive 
notation. We will distinguish the variables in q from the non-variables terms and 
write s(y, f) instead, where y collects the elements of q that are in V and r those 
that are in Gi \ V. 

The combination procedure described in Fig. 1 decides the word problem for 
the theory E := E\ U E 2 by deciding the satisfiability in E of disequations of 
the form s 0 ^ to where So,to are (E\ U A 2 )-terms. During the execution of the 
procedure, the set S of formulae on which the procedure works is repeatedly 
modified by the application of one of the derivation rules defined in Fig. 2. We 



Since Qs is acyclic and finite, this maximum exists. 
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Input: (so, to) £ T(Si U S 2 , V) x T(Si U S 2 , V). 

1. Let S AS(so ^ to). 

2. Repeatedly apply (in any order) Colli, Coll2, Ident, Simpl, Shari, Shar2 to 
S until none of them is applicable. 

3. Succeed if S has the form {»^«}UT and fail otherwise. 



Fig. 1. The Combination Procedure. 




Fig. 2. The Derivation Rules. 
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describe these rules in the style of a sequent calculus. The premise of each rule 
lists all the formulae in S before the application of the rule, where T stands 
for all the formulae not explicitly listed. The conclusion of the rule lists all the 
formulae in S after the application of the rule. 

The procedure and the rules are almost identical to those given in [4]. The 
only difference is that the rules Shari and Shar2 have a different set of pre- 
conditions to account for the generalization of the notion of normal form caused 
by the new definition of constructors. 

As before, Colli and Coll2 remove from S collapse equations that are valid 
in Ei or E 2 , while Ident identifies any two variables equated to equivalent 
Aj-terms and then discards one of the corresponding equations. The ordering 
restriction in the precondition of Ident is on the heights that the two equations 
involved have in the dag induced by S. It is there to prevent the creation of 
cycles in the relation -< over S. We have used the notation t[y] to express that 
the variable y occurs in the term t, and the notation T[x/t] to denote the set 
of formulae obtained by substituting every occurrence of the variable x by the 
term t in the set T . 

The rule Simpl reduces clutter in S by eliminating those equations that have 
become unreachable along a -(-path from the initial disequation because of the 
application of previous rules. 

The rules Shari and Shar2, which only apply when Ei and J7 2 are non- 
disjoint, are used in essence to propagate the constraint information represented 
by shared terms. To do that, the rules replace the right-hand side t of an equation 
x = t by its normal form, and then plug the “shared part” of the normal form 
in all those equations whose right-hand side contains x. In the description of 
the rules, an expression like z = f denotes the set {zi = rq, . . . , z n = r n } where 

z = ( 21 , ... , z n ) and f = (tt, , r n ), and s(y, z) denotes the term obtained from 

s(y, f) by replacing the subterm ry with Zj for each j £ { 1, . . . , n}. This notation 
also accounts for the possibility that t reduces to a non- variable term of Gj. In 
that case, s will be a variable, y will be empty, and r will be a tuple of length 
1. Substitution expressions containing tuples are to be interpreted accordingly; 
also, tuples are sometimes used to denote the set of their components. 

We make one assumption on Shari and Shar2 which is not explicitly listed 
in their preconditions. We assume that NF |(. ( i = 1, 2) is such that, whenever the 
set Vo := Var(NF^.(t)) \ Var(t ) is not empty, 7 each variable in Vq is fresh with 
respect to the current set S. As explained in [3], this assumption can be made 
without loss of generality whenever G,: is closed under renaming of variables. 

By requiring that f be non-empty, Shari excludes the possibility that the 
normal form of the term t is a shared term. It is Shar2 that deals with this case. 
The reason for a separate case is that we want to preserve the property that every 
-(-chain is made of equations with alternating signatures (cf. Definition 12(3b)). 
When the equation x = t has immediate —(-successors, the replacement of t by 
the 17-term s may destroy the alternating signatures property because x = s, 

7 This might happen if Ei is non-regular because then Definition 8 does not necessarily 
entail that all the variables of NF f, ( t ) occur in t. 
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which is both a £\- and a 27 2 -equation, may inherit some of these successors from 
x = t. 8 Shar2 restores this property by merging into x = s all of its immediate 
successors, if any. Condition (e) in Shar2 makes sure that the tuple fj\ = f\ 
collects all these successors. The replacement of y\ by f 1 in Shari is done for 
similar reasons. In Shar2, the restriction that the terms in f\ be elements of G,; 
is necessary to ensure termination, as is the condition x £ Var(T ) in both rules. 



A Sketch of the Correctness Proof 

The total correctness of the combination procedure can be proven more or less 
in the same way as in [4]. We can first show that an application of one of the 
rules of Fig. 2 transforms abstraction systems into abstraction systems, preser- 
ves satisfiability, and leads to a decrease with respect to a certain well-founded 
ordering. This ordering can be obtained as follows: every node in the dag indu- 
ced by the abstraction system S is associated with a pair ( h,r ), where h is the 
height of the node, r is 1 if the right-hand side of the node is neither in G\ nor 
in G 2 , and 0 otherwise. The abstraction system S is associated with the multiset 
M(S) consisting of all these pairs. Let □ be the multiset ordering induced by 
the lexicographic ordering on pairs. 

Lemma 14. Assume that S' is obtained from the abstraction system S by an 
application of one of the rules of Fig. 2. Then the following holds: 

1. M(S) A M(S'). 

2. S' is an abstraction system. 

3. 3v.S •£»• 3 v' .S' is valid in E, where v lists all the left-hand side variables of 
S and v' the left-hand side variables of S' . 

Since the multiset ordering □ is well-founded, the first point of the lemma implies 
that the derivation rules can be applied only finitely many times. Given that the 
preconditions of each rule are effective because of the computability assumptions 
on the component theories and of Prop. 9, we can then conclude that the combi- 
nation procedure halts on all inputs. The last point of the lemma together with 
Prop. 13 implies that the procedure is sound, that is, if it succeeds on an input 
(sojfo)j then so = e to- The second point implies that the final system obtained 
after the termination of the procedure is an abstraction system, which plays an 
important role in the completeness proof. We can prove that the combination 
procedure is complete, that is, succeeds on an input (so,fo) whenever s o =e to, 
by showing that Prop. 11 can be applied (see [3] for details). To sum up, this 
shows the overall correctness of the procedure, and thus: 

Lemma 15. Under the given assumptions, the word problem for E := Ei U 1? 2 
is decidable. 

8 As explained above, we assume that the variables in Var(s) \ Var(t) do not occur 
in the abstraction system. Thus, the equations in y\ = r\ are in fact successors of 
x = t. 
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The corresponding result in [4] is indeed a corollary of this one. The difference 
there is that we have the additional restriction that E is collapse-free and we 
use the largest IC-base of £};, namely Ge,{E, V), instead of an arbitrary one 
(i = 1,2). In [4], we do not explicitly assume that Ge^E^V) is closed under 
renaming. But this is always the case, as we mentioned earlier. Also, we do not 
postulate that Ge, (A, V) is recursive because that is always the case whenever 
Ge,(E, T4)-normal forms are computable for E and E,. 

Similarly to [4], the decidability result of Lemma 15 is actually extensible 
to the union of any (finite) number of theories, all (pairwise) sharing the same 
signature E and satisfying the same properties as E\ and E 2 above. The reason 
is that, again, all needed properties are modular with respect to theory union. 

Theorem 16. For all theories Ei, E 2 satisfying assumptions(l)-(5) stated at 
the beginning of Sect. 3, the following holds: 

1. E is a set of constructors for E := E\ U E 2 and E s = E\ S = E 2 S . 

2. E admits a E-base G* closed under bijective renaming ofV; 

3. G* is recursive and G* -normal forms are computable for E and E; 
the word problem for E is decidable. 

The proof of the first three points is still quite involved (see [3] for details) but 
somewhat simpler than the corresponding proof in [4] . It depends on the explicit 
construction of the set G * , given below. There, for all terms r £ T(E\ U E 2 ,V), 
we denote by f the pure term obtained from r by abstracting its alien subterms. 

Definition 17. The set G* is inductively defined as follows: 

1. Every variable is an element of G* , that is, V C G* . 

2. Assume that r(v) £ Gi\V for i £ {1,2} and f is a tuple of elements of G* 
with the same length as v such that the following holds: 

a) r(v) ^e v for all variables v £V; 

b) ffc ^ T(Ei,V) for all non-variable components rk off; 

c ) r k 7 re if r ki r e occur at different positions in the tuple f. 

Then r(r) £ G*. 

Notice that every non-collapsing term of Gi is in G* for * = 1,2 because the 
components of f in the definition above can also be variables. Every non-variable 
element r of G* then has a stratified structure. Each layer of r is made of terms 
all belonging to G\ or to G 2 . Moreover, if the terms in one layer are in Gi, then 
the terms in the layer above and below, if any, are not in Gi. 

4 Future Work 

The results presented in this paper are preliminary in two respects. First, they 
depend on two technical restrictions for which we do not yet know whether 
they are necessary. One is the requirement in the definition of constructors that 
X CY (used to prove the completeness of the combination procedure); the other 
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is the requirement that the 17-bases employed in the combination procedure be 
closed under renaming (used in the derivation rules and to prove the modularity 
results). We are trying to find out whether these restrictions can be removed, or 
there is a deeper, non-technical, reason for them. 

Second, in order to demonstrate the power of our new combination procedure, 
we intend to investigate more thoroughly its applicability to the combination of 
decision procedures for modal logics. This probably depends on a deep under- 
standing of the structure of the free algebras corresponding to the modal logics 
in question. 
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Abstract. In this paper we consider the relative expressive power of 
two very common operators applicable to sets and multisets: the with 
and the union operators. For such operators we prove that they are not 
mutually expressible by means of existentially quantified formulae. In 
order to prove our results, canonical forms for set-theoretic and multiset- 
theoretic formulae are established and a particularly natural axiomatiza- 
tion of multisets is given and studied. 

Keywords. Sets and Multisets Theory, Unification, Constraints. 



Introduction 

In the practice of programming, as well in axiomatic study of set (and multiset) 
theory, two families of constructors are usually employed: 

— Constructors of the form (with) that can build a (possibly) new set by adding 
one element to a given set. A typical element of this family is the cons - 
constructor of lists; 

— Constructors (union) that can build a set made by all the elements of two 
given sets. A typical element of this family is the append-constructor of lists. 

Bernays in [5] was the first to use the with constructor symbol in his axiomatiza- 
tion of Set Theory. Vaught in [22] proved, by giving an essential undecidability 
result, that theories involving such a constructor are extremely expressive and 
powerful. On the other hand, classical set theories (e.g., Zermelo-Fraenkel [16]) 
are more often based on union-like symbols (either unary or binary) and are 
sufficiently powerful to define both with and union. 

In this paper we analyze the relationships between these two (kinds of) ope- 
rators. We show that in both a set and a multiset setting, it is impossible to 
express the union-like operators with existentially quantified formulae based on 
with-like operators and vice versa. These results hold in any set theory suffi- 
ciently expressive to introduce the above operators. 

With-like constructors can be associated with an equational theory contai- 
ning two axioms (left commutativity (Ce) and absorption (A},) — cf., e.g., [13]) 
while union-like symbols are associated to ACIl equational theories (see, e.g., [4]). 
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A by-product of the results of this paper is a systematic proof of the fact that 
the classes of formulae and problems that can be expressed with an (A b )(C() 
unification (constraint) problem and those concerned with ACI{1) unification 
(constraint) problems with constants can not be (trivially) reduced to each other. 

Other consequences of the results of this paper are criteria for choosing the 
classes of constraints that can be managed by a constraint solver (e.g., for pro- 
gramming with constraints, or when analyzing programs by making use of con- 
straints), or for choosing the basic operators for dealing with sets in programming 
languages. 

In Section 1 we formally introduce the problem faced in this paper and we 
fix the notation. In Section 2 we show that it is impossible to express the with 
using union-like constraints in a set framework. In Section 3 we show the vice 
versa. Section 4 shows how to apply the results obtained for expressiveness of 
unification problems and constraints. In Section 5 the results are repeated in the 
context of multisets. Finally, some conclusions are drawn. 



1 Preliminaries 

We assume standard notions and notation of first-order logic (cf. [20]). We use 
C as a meta-variable for first-order languages with equality whose variables are 
denoted by capital letters. We write ip(X i,..,.,X n ) for a formula of C with 
Xi , . . . , X n as free variables; when the context is clear, we denote a list Z\ , . . . , Z n 
of variables by Z. The symbol false stands for a generic unsatisfiable formula, 
such as X X. A formula without quantifiers is said open and FV is a function 
returning the set of free variables of a formula. 

Definition of the problem. Let T be a first-order theory over the language C and 
$ a class of (generally open) £-formulae. Let / be a function symbol such that 
T \= MX3Y ( Y = f(X)). We say that / can be existentially expressed by <P in 
T if there is if € ^ such that 

T (= \/XY (Y = f(X) o 3 Zip(X, Y, Z)) 

Assume C contains equality “=’ and membership ‘6’ as binary predicate sym- 
bols, the constant symbol 0 for the empty set, and the binary function symbols 
{ • | • } for set construction with, 1 and U for set union. Assume that T is any set 
theory such that these three symbols are governed by the following axioms: 2 

(N) VX (X # 0) 

(W) MYV X {X & {Y\V} ^ {X & V\J X = Y)) 

(U) MYVX (X G Y U V o (X G Y VX e V)) 

1 The interpretation of {x \ y} is {*} U y, hence { • | - } is unnecessary whenever U and 
the singleton set operator are present. Notice that { • | • } is a list-likc symbol and 
not the intensional set former { x : ip(x)}. 

2 These axioms are explicitly introduced in minimal set theories (e.g. [5,22,17]) while 
they are consequence of other axioms in stronger ones (e.g. ZF, cf. [16]). 
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and also assume that the extensionality principle ( E ) and the regularity axiom 
(i?) hold in T: 

(E) VAT {\!Z (Z € X <-> Z € Y) —>■ X = Y) 

(R) VX3ZVY (Y e X -> (Z G X AY Z)). 

Let <P U and <£ wit h be the classes of open formulae built using 0, U, €,= and 
0, { - 1 - }, G, =, respectively. We will prove that for any T satisfying the above 
axioms, the symbol { • | • } can not be existentially expressed by T> u in T and U 
can not be existentially expressed by <£„ it h hr T. 

Let HF (the class of hereditarily finite well-founded sets) be the model whose 
domain U can be inductively defined as U = Ui>o U with Uq = 0, Ui+ 1 = 
p(Ui), (where p stands for the power-set operator) and whose interpretation for 
0, { • | • }, U, G, = is the natural one. HF is a submodel of any model of a set theory 
satisfying the above axioms and any formula of and ^ Hith is satishable if and 
only if it is satishable over HF (cf. [6]). Elements of U can be represented by 
directed acyclic graphs where edges represent the membership relation. 

Technical notations. We use the following syntactic convention for the set con- 
structor symbol { • | - }: the term { si | { s 2 | • • • { s n \ t } ■ ■ •}} will be denoted by 
{si, . . . , s n 1 1} or simply by {si, . . . , s„} when t is 0. The function rank , defined 
as: ranfc(0) = 0, rank{{t | s}) = max{ rank(s), 1 + rank(t)} returns the maximum 
‘depth’ of a ground set, while the function find: 



( 0 if f = 0, x ^9) 

findix t) = J { ° } ift = X 

J 1 l | {1 + n : n £ find(x,y)} if t — {y \ 0} 

I {1 + n : n £ find(x, y)} U find(x, s) if t = {y \ s}, s ^ 0 

returns the set of ‘depths’ at which a given element x occurs in the set t (there is 
an exception for the unique case find(®, 0)). For instance, if t is {{0}, {0, {0}}}, 
then rank{t ) = 3 (it is sufficient to compute the maximum nesting of braces), and 
find (9, t ) = {2,3 }, find ({(/)}, t) = {1,2 },/md({0, {0}}, £) = {1}. The two above- 
defined functions will be used in Lemma 3 to build a suitable truth valuation for 
(canonical) formulae over HF. We also denote by {0} ra the (simplest) singleton 
set of rank n, that is the set inductively defined as: {0}° = 0, {0} n+1 = { {0}™}- 

2 Union vs with 

In this section we show show that the function symbol { • | • } can not be existen- 
tially expressed by the class of formulae <P\j . To prove this fact it is sufficient to 
verify that it is impossible to express the singleton operator, namely the formula 
X = {T}, i.e., T = {y | 0}: 

Lemma 1. Let ip be a satisftable formula of <L U . Then there is a satisfying va- 
luation a over HF for <p s.t. for all X € FV(cp) either <x(X) = 0 or |cr(AT)| > 2. 
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Proof. Without loss of generality, we can restrict our attention to flat formulae in 
DNF, namely disjunctions of conjunctions of literals of the form: X op Y,X = 
Y U Z,X = 0, where op can be =,^, G, and X,Y,Z are variables. If ip is 
satisfiable, then it is satisfiable over HF; let u be a valuation which satisfies 
ip over HF and consider a disjunct if satisfied by a. Assume a does not fulfill 
the requirements (otherwise we have directly the thesis) and consider the term 
substitution 6 = [X/0 : er(X) = 0]; let if' be the formula obtained by 

1. removing from if 6 all the literals of the form 0 = 0, 0 = 0 U 0, X 0, 0 ^ 0, 

2. replacing the literals of the form A = 7 U0,X = 0UY with X = Y, and 

3. replacing all literals of the form 0 ^ X with X ^ 0. 

All the literals of if' are of the form X = Y U Z, X = Y, X ^ Y, l/0,l£ 
Y, 0 € Y, X i Y, 0 i Y and cr(X) ^ 0 for all X G FV(if'). 3 

Let n = max X£ Fyui) rank(a(X)) and let c be a set of rank n. We obtain a 
satisfying valuation a' such that cr'(X) is not a singleton for all X G FV(if'), by 
adding c to all the non-empty elements in the transitive closure of the <r(X)’s. 
More in detail, given the membership graphs denoting the sets associated by a 
to the variables in if, we can build the (unique) global minimum graph Go- Now, 
let Q c be the minimum (rooted) graph denoting the set c. Add an edge from all 
the nodes of Go, save the unique leaf denoting 0 to (the root of) Q c , obtaining 
a new graph Go' (the entry points of the variables remain the same). We prove 
that all literals of if' are satisfied by Go' (i.e. by a’): 

X^0,0£ Y,0G Y: These literals are fulfilled by Go and we have added no 
edges to the leaves. 

X = Y: X and Y have the same entry point in the graph Go , and thus in Go’ . 
X = Y U Z: We have added the same entity to all sets. Equality remains true. 
X G Y: This means that there is an edge from the node associated to Y to that 
associated to X in Go- The edge remains in Go 1 - 
X/Y: By contradiction. Let v be a minimal (w.r.t. the membership relation) 
node of the graph Go such that there is another node v' in Go bisimilar to v 
in Go'- This means that: 

— a node p G-successor of v is different from a a node //, G-successor of v' 
in G a and they are equal in G '■ this is absurdum since v is a G-minimal 
node with this property; or 

— a node p G-successor of v or a node p' G-successor of v' are equal in Go' 
to the root of Gc '■ this is absurdum since either they represent 0 or Gc is 
also an element of the set represented by them and the overall graph is 
acyclic. 

X ^ Y: In Gcr there is no edge from the node associated to Y to that associated 
to X. Using the same considerations of the previous point, it is impossible 
that now the former collapse with a node reached by an outgoing edge from 
the node associated to Y. 

3 Observe that, for instance, a literal A' = 0 cannot be in if' since <r satisfies if and, 
by hypothesis, X is mapped to a non-empty set. 




Comparing Expressiveness of Set Constructor Symbols 279 



To complete the valuation, map to 0 all variables occurring only in the other 
disjuncts. □ 



Theorem 1. Let T be any set theory implying NW U ER. Then the functional 
symbol { • | • } can not be existentially expressed by in T. 

Proof. By contradiction, assume that 0 hr existentially expresses { • | • } in 
T. Then 0 it is satisfiable over HF. The result follows from Lemma 1 and the 
fact that HF is a submodel of any model of NW U ER. □ 

3 with vs union 

In this section we show that it is impossible to existentially express the function 
symbol U using the class of formulae We make use of the following notion: 

a conjunction ip of ^with-literals is said to be in canonical form if p = false or 
each literal is either of the form A = t,r B,C yf s where A, B , C are variables 
and A does not occur neither in t nor elsewhere in p, B does not occur in r, C 
does not occur in s. 

Lemma 2 ([8,9]). Let p(X) be a formula in then there is a formula 

<f/(X,Y) = y^X^Yi) s.t. {X t } C {X}, {Y} = and each p t is (a 

conjunction of literals) in canonical form. Moreover, HF J= VX {p -o- 3Y \J i pf) . 

The above lemma, guaranteeing that any formula can be rewritten as a dis- 
junction of canonical formulae, goes a long way towards providing a satisfiability 
test. In fact, consider the following 

Lemma 3. 1. If p(X) is in canonical form and different from the formida 

false, then HF |= 3X p. 

2. Ifp(X,Y, Z ) is in canonical form, different from false, and there are neither 
atoms of the form X = s nor of the form Y = t in p, then there is a valuation 
7 such that HF j= p~f, but HF |= {X <2 Y)y. 

3. Let p be a formula in canonical form, different from false, in which there is 
at least one of the atoms: 

X = (si, . . . ,s TO | A},Y = | B} 

where A and B are different variables and B ^ X, A ^ Y . Then there is a 
valuation 7 such that HF [= p'y and HF |= (X <2 Y) 7 . 

Proof. We prove (1) finding a particular valuation that satisfies the condition 
(2) and helps us in proving (3). 

1) We split p into p=, p^ , and p&, containing =,yf, and ^ literals, respec- 
tively. 

p = has the form X\ = t\ A • • • A X m = t rn and for all i = 1, . . . , m, X, 
appears uniquely in X, = ti and X t ^ FV(U). We define the mapping 9\ = 

[Xi/ 0 , . . . , X m /tm \ ■ 




